Develop Reference

Spring Boot Oauth2 authorization server not accepting valid tokens

I have problems setting up a simple microservice system using Spring Boot's OAuth2 capabilities.
What I want to do is to set up a Spring Boot Authorization Server handling registration, authorization and user data management. Besides that, I'd like to set up a Resource Server handling the logic of the application.
Because all data is stored related to the user's ID, the resource server has to request the ID from authorization server. Therefore, I've set up the following user info endpoint:
#Controller
public class UserInfoEndpoint {
private UserManagementBean userManagementBean;
#Autowired
public UserInfoEndpoint(final UserManagementBean userManagementBean) {
this.userManagementBean = userManagementBean;
}
#GetMapping("/user/me")
#ResponseBody
public Principal user(final Principal principal) throws PRPException {
User user = userManagementBean.loadUser(principal.getName());
#SuppressWarnings("unused")
Principal retVal = new Principal() {
#Override
public String getName() {
return user.getId().toString();
}
public String getPrimaryEmail() {
return user.getPrimaryEmail();
}
};
return retVal;
}
}
At the moment, I'm using JWK to sign the tokens. I am able to access this endpoint with Postman, where I get the following result:
{
"primaryEmail": "eric#live.de",
"name": "3"
}
However, when trying to obtain user information with the resource server
#Bean
#RequestScope
public OAuth2Authentication userInfo(final HttpServletRequest request) {
UserInfoTokenServices services = new UserInfoTokenServices("http://localhost:8081/user/me", "PRPBackend");
services.setPrincipalExtractor(principalExtractor());
String authHeader = request.getHeader(HttpHeaders.AUTHORIZATION);
String tokenString = authHeader.replace("Bearer ", "").replace("bearer ", "");
DefaultOAuth2AccessToken accessToken = new DefaultOAuth2AccessToken(tokenString);
AuthorizationCodeResourceDetails resource = new AuthorizationCodeResourceDetails();
resource.setAccessTokenUri("http://localhost:8081/oauth/token");
resource.setClientId("PRPBackend");
resource.setClientSecret("secret");
resource.setUserAuthorizationUri("http://localhost:8081/oauth/authorize");
resource.setAuthenticationScheme(AuthenticationScheme.header);
resource.setClientAuthenticationScheme(AuthenticationScheme.header);
OAuth2ClientContext clientContext = new DefaultOAuth2ClientContext();
clientContext.setPreservedState("key", "abcdef");
clientContext.setAccessToken(accessToken);
OAuth2RestTemplate restTemplate = new OAuth2RestTemplate(resource, clientContext);
services.setRestTemplate(restTemplate);
OAuth2Authentication authentication = services.loadAuthentication(tokenString);
return authentication;
}
the authorization server tells me, that the user is anonymous.
2019-12-16 06:28:30.532 DEBUG 7018 --- [nio-8081-exec-2] o.s.security.web.FilterChainProxy : /user/me at position 1 of 13 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2019-12-16 06:28:30.532 DEBUG 7018 --- [nio-8081-exec-2] o.s.security.web.FilterChainProxy : /user/me at position 2 of 13 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2019-12-16 06:28:30.532 DEBUG 7018 --- [nio-8081-exec-2] w.c.HttpSessionSecurityContextRepository : No HttpSession currently exists
2019-12-16 06:28:30.532 DEBUG 7018 --- [nio-8081-exec-2] w.c.HttpSessionSecurityContextRepository : No SecurityContext was available from the HttpSession: null. A new one will be created.
2019-12-16 06:28:30.532 DEBUG 7018 --- [nio-8081-exec-2] o.s.security.web.FilterChainProxy : /user/me at position 3 of 13 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2019-12-16 06:28:30.532 DEBUG 7018 --- [nio-8081-exec-2] o.s.security.web.FilterChainProxy : /user/me at position 4 of 13 in additional filter chain; firing Filter: 'CorsFilter'
2019-12-16 06:28:30.532 DEBUG 7018 --- [nio-8081-exec-2] o.s.security.web.FilterChainProxy : /user/me at position 5 of 13 in additional filter chain; firing Filter: 'CsrfFilter'
2019-12-16 06:28:30.532 DEBUG 7018 --- [nio-8081-exec-2] o.s.security.web.FilterChainProxy : /user/me at position 6 of 13 in additional filter chain; firing Filter: 'LogoutFilter'
2019-12-16 06:28:30.532 DEBUG 7018 --- [nio-8081-exec-2] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'GET /user/me' doesn't match 'POST /logout'
2019-12-16 06:28:30.532 DEBUG 7018 --- [nio-8081-exec-2] o.s.security.web.FilterChainProxy : /user/me at position 7 of 13 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
2019-12-16 06:28:30.532 DEBUG 7018 --- [nio-8081-exec-2] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'GET /user/me' doesn't match 'POST /login'
2019-12-16 06:28:30.532 DEBUG 7018 --- [nio-8081-exec-2] o.s.security.web.FilterChainProxy : /user/me at position 8 of 13 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2019-12-16 06:28:30.532 DEBUG 7018 --- [nio-8081-exec-2] o.s.s.w.s.HttpSessionRequestCache : saved request doesn't match
2019-12-16 06:28:30.532 DEBUG 7018 --- [nio-8081-exec-2] o.s.security.web.FilterChainProxy : /user/me at position 9 of 13 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2019-12-16 06:28:30.532 DEBUG 7018 --- [nio-8081-exec-2] o.s.security.web.FilterChainProxy : /user/me at position 10 of 13 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2019-12-16 06:28:30.532 DEBUG 7018 --- [nio-8081-exec-2] o.s.s.w.a.AnonymousAuthenticationFilter : Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken#74903b51: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
2019-12-16 06:28:30.532 DEBUG 7018 --- [nio-8081-exec-2] o.s.security.web.FilterChainProxy : /user/me at position 11 of 13 in additional filter chain; firing Filter: 'SessionManagementFilter'
2019-12-16 06:28:30.532 DEBUG 7018 --- [nio-8081-exec-2] o.s.security.web.FilterChainProxy : /user/me at position 12 of 13 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2019-12-16 06:28:30.532 DEBUG 7018 --- [nio-8081-exec-2] o.s.security.web.FilterChainProxy : /user/me at position 13 of 13 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2019-12-16 06:28:30.532 DEBUG 7018 --- [nio-8081-exec-2] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/user/me'; against '/actuator/**'
2019-12-16 06:28:30.532 DEBUG 7018 --- [nio-8081-exec-2] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/user/me'; against '/favicon.ico'
2019-12-16 06:28:30.532 DEBUG 7018 --- [nio-8081-exec-2] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/user/me'; against '/login'
2019-12-16 06:28:30.532 DEBUG 7018 --- [nio-8081-exec-2] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/user/me'; against '/confirm/**'
2019-12-16 06:28:30.532 DEBUG 7018 --- [nio-8081-exec-2] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/user/me'; against '/signup'
2019-12-16 06:28:30.532 DEBUG 7018 --- [nio-8081-exec-2] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/user/me'; against '/oauth/authorize'
2019-12-16 06:28:30.532 DEBUG 7018 --- [nio-8081-exec-2] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/user/me'; against '/css/**'
2019-12-16 06:28:30.532 DEBUG 7018 --- [nio-8081-exec-2] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/user/me'; against '/img/**'
2019-12-16 06:28:30.532 DEBUG 7018 --- [nio-8081-exec-2] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'GET /user/me' doesn't match 'OPTIONS /oauth/token'
2019-12-16 06:28:30.532 DEBUG 7018 --- [nio-8081-exec-2] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'GET /user/me' doesn't match 'POST /oauth/token'
2019-12-16 06:28:30.532 DEBUG 7018 --- [nio-8081-exec-2] o.s.s.w.a.i.FilterSecurityInterceptor : Secure object: FilterInvocation: URL: /user/me; Attributes: [authenticated]
2019-12-16 06:28:30.532 DEBUG 7018 --- [nio-8081-exec-2] o.s.s.w.a.i.FilterSecurityInterceptor : Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken#74903b51: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
2019-12-16 06:28:30.533 DEBUG 7018 --- [nio-8081-exec-2] o.s.s.access.vote.AffirmativeBased : Voter: org.springframework.security.web.access.expression.WebExpressionVoter#33824388, returned: -1
2019-12-16 06:28:30.545 DEBUG 7018 --- [nio-8081-exec-2] o.s.s.w.a.ExceptionTranslationFilter : Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied
at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:84) ~[spring-security-core-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:233) ~[spring-security-core-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:123) ~[spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:90) ~[spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:118) ~[spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:137) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:111) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:158) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:200) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:117) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.web.filter.CorsFilter.doFilterInternal(CorsFilter.java:92) [spring-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:92) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:77) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358) [spring-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271) [spring-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-embed-core-9.0.27.jar:9.0.27]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-embed-core-9.0.27.jar:9.0.27]
at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100) [spring-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-embed-core-9.0.27.jar:9.0.27]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-embed-core-9.0.27.jar:9.0.27]
at org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93) [spring-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-embed-core-9.0.27.jar:9.0.27]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-embed-core-9.0.27.jar:9.0.27]
at org.springframework.boot.actuate.metrics.web.servlet.WebMvcMetricsFilter.doFilterInternal(WebMvcMetricsFilter.java:108) [spring-boot-actuator-2.2.1.RELEASE.jar:2.2.1.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-embed-core-9.0.27.jar:9.0.27]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-embed-core-9.0.27.jar:9.0.27]
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201) [spring-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-embed-core-9.0.27.jar:9.0.27]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-embed-core-9.0.27.jar:9.0.27]
at com.prp.auth.security.filter.SimpleCorsFilter.doFilter(SimpleCorsFilter.java:38) [main/:na]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-embed-core-9.0.27.jar:9.0.27]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-embed-core-9.0.27.jar:9.0.27]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202) [tomcat-embed-core-9.0.27.jar:9.0.27]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) [tomcat-embed-core-9.0.27.jar:9.0.27]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:526) [tomcat-embed-core-9.0.27.jar:9.0.27]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139) [tomcat-embed-core-9.0.27.jar:9.0.27]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) [tomcat-embed-core-9.0.27.jar:9.0.27]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) [tomcat-embed-core-9.0.27.jar:9.0.27]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) [tomcat-embed-core-9.0.27.jar:9.0.27]
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:408) [tomcat-embed-core-9.0.27.jar:9.0.27]
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) [tomcat-embed-core-9.0.27.jar:9.0.27]
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:861) [tomcat-embed-core-9.0.27.jar:9.0.27]
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1579) [tomcat-embed-core-9.0.27.jar:9.0.27]
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) [tomcat-embed-core-9.0.27.jar:9.0.27]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [na:1.8.0_222]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [na:1.8.0_222]
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-embed-core-9.0.27.jar:9.0.27]
at java.lang.Thread.run(Thread.java:748) [na:1.8.0_222]
and returns the login page.
I've tried several configs, but nothing worked. Here's my security config of the authorization server:
#Override
protected void configure(final HttpSecurity http) throws Exception {
// #formatter:off
http.requestMatchers().and()
.authorizeRequests()
.and()
.authorizeRequests()
.antMatchers("/actuator/**", "/favicon.ico").permitAll()
.antMatchers(HttpMethod.GET, "/login", "/confirm/**", "/signup",
"/oauth/authorize", "/css/**", "/img/**").permitAll()
.antMatchers(HttpMethod.OPTIONS, "/oauth/token").permitAll()
.antMatchers(HttpMethod.POST, "/oauth/token").permitAll()
.and().formLogin().loginPage("/login").permitAll()
.and().authorizeRequests().anyRequest().authenticated()
.and().headers().frameOptions().disable()
.and().cors().configurationSource(new CorsConfigurationSource() {
#Override
public CorsConfiguration getCorsConfiguration(final HttpServletRequest request) {
CorsConfiguration conf = new CorsConfiguration();
List<String> allowedOrigins = new ArrayList<>();
allowedOrigins.add("http://localhost:8000");
conf.setAllowedOrigins(allowedOrigins);
List<String> allowedMethods = new ArrayList<>();
allowedMethods.add("POST");
conf.setAllowedMethods(allowedMethods);
return conf;
}
});
}
EDIT:
I've been trying to access the same endpoint via Postman and JQuery. Postman is able to fetch the user's data, the JQuery implementation gets the same error as described above.
One more edit:
The JQuery request I'm testing with is the following:
fetchUser() {
let ref = this;
console.log("Calling URL to load user information: " + localStorageManager.loadOauthProvider() + "/user/me");
$.ajax({
url: localStorageManager.loadOauthProvider() + "/user/me",
method: "GET",
headers: ref.oauth2.authorizationHeader,
success: function(data, status, xhr) {
console.log("Fetch user response: " + JSON.stringify(data));
},
error: function(xhr, status, error) {
console.log("Error: " + error);
}
});
}
The result:
Fetch user response: "<!doctype html>\n<html>\n<head>\n<meta charset=\"utf-8\">\n<meta name=\"viewport\"\n\tcontent=\"width=device-width, initial-scale=1, shrink-to-fit=no\">\n<meta name=\"description\" content=\"\">\n<meta name=\"author\" content=\"\">\n<link rel=\"icon\" href=\"/img/favicon.ico\">\n\n<title>Login</title>\n<link rel=\"stylesheet\"\n\thref=\"/css/bootstrap.min.css\" />\n\n<!-- Custom styles for this template -->\n<link rel=\"stylesheet\" type=\"text/css\" href=\"/css/login.css\" />\n\n</head>\n\n<body class=\"text-center\">\n\n\t<form name=\"login\" action=\"/login\" method=\"post\"\n\t\tclass=\"form-signin\">\n\t\t<h1 class=\"h3 mb-3 font-weight-normal\">LEVO</h1>\n\t\t<img class=\"mb-4\" src=\"/img/logo.png\" alt=\"\" width=\"72\"\n\t\t\theight=\"72\">\n\t\t<h1 class=\"h3 mb-3 font-weight-normal\">\n\t\t\t<span>Anmelden</span>\n\t\t</h1>\n\t\t\n\t\t\n\t\t<label for=\"username\" class=\"sr-only\">E-Mail</label>\n\t\t<input type=\"text\" id=\"username\" name=\"username\" class=\"form-control\"\n\t\t\tplaceholder=\"E-Mail\" required autofocus>\n\t\t<label for=\"password\" class=\"sr-only\"></label>\n\t\t<input type=\"password\" id=\"password\" name=\"password\"\n\t\t\tclass=\"form-control\" placeholder=\"Passwort\"\n\t\t\trequired>\n\t\t<div class=\"checkbox mb-3\">\n\t\t\t<label> <input type=\"checkbox\" value=\"remember-me\"> <span>Angemeldet bleiben</span>\n\t\t\t</label>\n\t\t</div>\n\t\t<button class=\"btn btn-lg btn-primary btn-block\" type=\"submit\">\n\t\t\t<span>Anmelden</span>\n\t\t</button>\n\t\t<a class=\"nav-link\" href=\"/signup\">\n\t\t\t<span data-feather=\"home\"></span>\n\t\t\t<span>Hier registrieren</span>\n\t\t</a>\n\n\t\t<p class=\"mt-5 mb-3 text-muted\">© Levo 2019</p>\n\t</form>\n\n\n</body>\n</html>"
Postman is creating the following request, which works:
GET /user/me HTTP/1.1 Host: localhost:8081 Authorization: Bearer [...]

From my point of view your SecurityConfig handles not what you expect. Your first rule http.requestMatchers().and().authorizeRequests() means:
requestMatchers() configures if an URL will be processed by that SecurityFilterChain. So if an URL does not match it , the whole SecurityFilterChain will be skipped which means Spring Security will not handle this URL after that. If you do not configure it, the default is to match all URLs.
So you need to define your antMatchers Resources which should be processed by this SecurityFilerChain. If you change this rule to the following basic config http.requestMatchers().antMatchers("/")... the user endpoint should work as expected.
The reason behind this is, that the endpoint /user/me should not be handled/overridden by this SecurityConfigChain. So if you have enabled the ResourceServer of Spring in a default way, the default config is used for this endpoint.
So in this antMatchers("/") you should define all resources which should be handled by this security filter but not the user/me.

You have both #EnableAuthorizationServer, #EnableResourceServer in AuthServerConfig which might be causing the issue. Remove #EnableResourceServer as you are extending the AuthorizationServerConfigurerAdapter with AuthServerConfig
Change
#Configuration
#EnableAuthorizationServer
#EnableResourceServer
public class AuthServerConfig extends AuthorizationServerConfigurerAdapter
To
#Configuration
#EnableAuthorizationServer
public class AuthServerConfig extends AuthorizationServerConfigurerAdapter

Spring Boot Security not working properly

I am creating a spring boot project with many micro services. My project consists of an Api Gateway(Zuul) a discovery service (Eureka) and two other micro services (Users and Accounts).
On the Gateway service I have implemented Spring Boot Security like this:
WebSecurity.java
#Configuration
#EnableWebSecurity
public class WebSecurity extends WebSecurityConfigurerAdapter {
#Autowired
Environment environment;
public WebSecurity(Environment environment) {
this.environment = environment;
}
#Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
http.headers().frameOptions().disable();
http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
http.authorizeRequests()
.antMatchers(HttpMethod.GET,"users-ws/users/status/check").permitAll()
.antMatchers(HttpMethod.POST,"users-ws/users/h2-console/**").permitAll()
.antMatchers(HttpMethod.POST,"users-ws/users/createUser").permitAll()
.antMatchers(HttpMethod.POST,"users-ws/users/login").permitAll()
.anyRequest()
.authenticated()
.and()
.addFilter(new AuthorizationFilter(authenticationManager(),environment));
}
}
Authorization Filter
public class AuthorizationFilter extends BasicAuthenticationFilter {
Environment environment;
AuthenticationManager authManager;
public AuthorizationFilter(AuthenticationManager authManager,Environment environment) {
super(authManager);
this.environment = environment;
}
#Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException, ServletException {
String authorizationHeader = request.getHeader("Authorization");
if (authorizationHeader == null || !authorizationHeader.startsWith("Bearer")) {
chain.doFilter(request,response);
return;
}
UsernamePasswordAuthenticationToken authenticationToken = getAuthentication(request);
SecurityContextHolder.getContext().setAuthentication(authenticationToken);
chain.doFilter(request,response);
}
private UsernamePasswordAuthenticationToken getAuthentication(HttpServletRequest request) {
String authorizationHeader = request.getHeader("Authorization");
if (authorizationHeader == null) {
return null;
}
String token = authorizationHeader.replace("Bearer","");
String userId = Jwts.parser()
.setSigningKey(environment.getProperty("token.secret"))
.parseClaimsJws(token)
.getBody()
.getSubject();
if (userId == null) {
return null;
}
return new UsernamePasswordAuthenticationToken(userId,null, new ArrayList<>());
}
}
So according to this everything should be authenticated except the first four urls right?
Because now it giving me this on all urls that according to my configurations should not need authentication
2019-10-13 15:00:55.214 DEBUG 34683 --- [nio-8011-exec-6] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/users-ws/users/status/check'; against 'users-ws/users/status/check'
2019-10-13 15:00:55.214 DEBUG 34683 --- [nio-8011-exec-6] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'GET /users-ws/users/status/check' doesn't match 'POST users-ws/users/h2-console/**'
2019-10-13 15:00:55.214 DEBUG 34683 --- [nio-8011-exec-6] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'GET /users-ws/users/status/check' doesn't match 'POST users-ws/users/createUser'
2019-10-13 15:00:55.214 DEBUG 34683 --- [nio-8011-exec-6] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'GET /users-ws/users/status/check' doesn't match 'POST users-ws/users/login'
2019-10-13 15:00:55.214 DEBUG 34683 --- [nio-8011-exec-6] o.s.security.web.FilterChainProxy : /users-ws/users/status/check at position 1 of 11 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2019-10-13 15:00:55.214 DEBUG 34683 --- [nio-8011-exec-6] o.s.security.web.FilterChainProxy : /users-ws/users/status/check at position 2 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2019-10-13 15:00:55.214 DEBUG 34683 --- [nio-8011-exec-6] o.s.security.web.FilterChainProxy : /users-ws/users/status/check at position 3 of 11 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2019-10-13 15:00:55.214 DEBUG 34683 --- [nio-8011-exec-6] o.s.security.web.FilterChainProxy : /users-ws/users/status/check at position 4 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
2019-10-13 15:00:55.214 DEBUG 34683 --- [nio-8011-exec-6] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', GET]
2019-10-13 15:00:55.214 DEBUG 34683 --- [nio-8011-exec-6] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/users-ws/users/status/check'; against '/logout'
2019-10-13 15:00:55.215 DEBUG 34683 --- [nio-8011-exec-6] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', POST]
2019-10-13 15:00:55.215 DEBUG 34683 --- [nio-8011-exec-6] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'GET /users-ws/users/status/check' doesn't match 'POST /logout'
2019-10-13 15:00:55.215 DEBUG 34683 --- [nio-8011-exec-6] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', PUT]
2019-10-13 15:00:55.215 DEBUG 34683 --- [nio-8011-exec-6] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'GET /users-ws/users/status/check' doesn't match 'PUT /logout'
2019-10-13 15:00:55.215 DEBUG 34683 --- [nio-8011-exec-6] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', DELETE]
2019-10-13 15:00:55.215 DEBUG 34683 --- [nio-8011-exec-6] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'GET /users-ws/users/status/check' doesn't match 'DELETE /logout'
2019-10-13 15:00:55.215 DEBUG 34683 --- [nio-8011-exec-6] o.s.s.web.util.matcher.OrRequestMatcher : No matches found
2019-10-13 15:00:55.215 DEBUG 34683 --- [nio-8011-exec-6] o.s.security.web.FilterChainProxy : /users-ws/users/status/check at position 5 of 11 in additional filter chain; firing Filter: 'AuthorizationFilter'
2019-10-13 15:00:55.215 DEBUG 34683 --- [nio-8011-exec-6] o.s.security.web.FilterChainProxy : /users-ws/users/status/check at position 6 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2019-10-13 15:00:55.215 DEBUG 34683 --- [nio-8011-exec-6] o.s.security.web.FilterChainProxy : /users-ws/users/status/check at position 7 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2019-10-13 15:00:55.215 DEBUG 34683 --- [nio-8011-exec-6] o.s.security.web.FilterChainProxy : /users-ws/users/status/check at position 8 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2019-10-13 15:00:55.215 DEBUG 34683 --- [nio-8011-exec-6] o.s.s.w.a.AnonymousAuthenticationFilter : Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken#6910dd88: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
2019-10-13 15:00:55.215 DEBUG 34683 --- [nio-8011-exec-6] o.s.security.web.FilterChainProxy : /users-ws/users/status/check at position 9 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter'
2019-10-13 15:00:55.215 DEBUG 34683 --- [nio-8011-exec-6] o.s.security.web.FilterChainProxy : /users-ws/users/status/check at position 10 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2019-10-13 15:00:55.215 DEBUG 34683 --- [nio-8011-exec-6] o.s.security.web.FilterChainProxy : /users-ws/users/status/check at position 11 of 11 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2019-10-13 15:00:55.215 DEBUG 34683 --- [nio-8011-exec-6] o.s.s.w.a.i.FilterSecurityInterceptor : Secure object: FilterInvocation: URL: /users-ws/users/status/check; Attributes: [authenticated]
2019-10-13 15:00:55.215 DEBUG 34683 --- [nio-8011-exec-6] o.s.s.w.a.i.FilterSecurityInterceptor : Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken#6910dd88: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
2019-10-13 15:00:55.215 DEBUG 34683 --- [nio-8011-exec-6] o.s.s.access.vote.AffirmativeBased : Voter: org.springframework.security.web.access.expression.WebExpressionVoter#603b97b3, returned: -1
2019-10-13 15:00:55.216 DEBUG 34683 --- [nio-8011-exec-6] o.s.s.w.a.ExceptionTranslationFilter : Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied
at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:84) ~[spring-security-core-5.1.6.RELEASE.jar:5.1.6.RELEASE]
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:233) ~[spring-security-core-5.1.6.RELEASE.jar:5.1.6.RELEASE]
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:124) ~[spring-security-web-5.1.6.RELEASE.jar:5.1.6.RELEASE]
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:91) ~[spring-security-web-5.1.6.RELEASE.jar:5.1.6.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.1.6.RELEASE.jar:5.1.6.RELEASE]
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:119) ~[spring-security-web-5.1.6.RELEASE.jar:5.1.6.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.1.6.RELEASE.jar:5.1.6.RELEASE]
at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:137) [spring-security-web-5.1.6.RELEASE.jar:5.1.6.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.1.6.RELEASE.jar:5.1.6.RELEASE]
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:111) [spring-security-web-5.1.6.RELEASE.jar:5.1.6.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.1.6.RELEASE.jar:5.1.6.RELEASE]
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:170) [spring-security-web-5.1.6.RELEASE.jar:5.1.6.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.1.6.RELEASE.jar:5.1.6.RELEASE]
at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63) [spring-security-web-5.1.6.RELEASE.jar:5.1.6.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.1.6.RELEASE.jar:5.1.6.RELEASE]
at com.example.apigatewayservice.apigatewayservice.security.AuthorizationFilter.doFilterInternal(AuthorizationFilter.java:33) [classes/:na]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.1.10.RELEASE.jar:5.1.10.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.1.6.RELEASE.jar:5.1.6.RELEASE]
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116) [spring-security-web-5.1.6.RELEASE.jar:5.1.6.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.1.6.RELEASE.jar:5.1.6.RELEASE]
at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:74) [spring-security-web-5.1.6.RELEASE.jar:5.1.6.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.1.10.RELEASE.jar:5.1.10.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.1.6.RELEASE.jar:5.1.6.RELEASE]
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105) [spring-security-web-5.1.6.RELEASE.jar:5.1.6.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.1.6.RELEASE.jar:5.1.6.RELEASE]
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56) [spring-security-web-5.1.6.RELEASE.jar:5.1.6.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.1.10.RELEASE.jar:5.1.10.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.1.6.RELEASE.jar:5.1.6.RELEASE]
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215) [spring-security-web-5.1.6.RELEASE.jar:5.1.6.RELEASE]
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178) [spring-security-web-5.1.6.RELEASE.jar:5.1.6.RELEASE]
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358) [spring-web-5.1.10.RELEASE.jar:5.1.10.RELEASE]
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271) [spring-web-5.1.10.RELEASE.jar:5.1.10.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-embed-core-9.0.26.jar:9.0.26]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-embed-core-9.0.26.jar:9.0.26]
at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100) [spring-web-5.1.10.RELEASE.jar:5.1.10.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.1.10.RELEASE.jar:5.1.10.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-embed-core-9.0.26.jar:9.0.26]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-embed-core-9.0.26.jar:9.0.26]
at org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93) [spring-web-5.1.10.RELEASE.jar:5.1.10.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.1.10.RELEASE.jar:5.1.10.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-embed-core-9.0.26.jar:9.0.26]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-embed-core-9.0.26.jar:9.0.26]
at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:94) [spring-web-5.1.10.RELEASE.jar:5.1.10.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.1.10.RELEASE.jar:5.1.10.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-embed-core-9.0.26.jar:9.0.26]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-embed-core-9.0.26.jar:9.0.26]
at org.springframework.boot.actuate.metrics.web.servlet.WebMvcMetricsFilter.filterAndRecordMetrics(WebMvcMetricsFilter.java:114) [spring-boot-actuator-2.1.9.RELEASE.jar:2.1.9.RELEASE]
at org.springframework.boot.actuate.metrics.web.servlet.WebMvcMetricsFilter.doFilterInternal(WebMvcMetricsFilter.java:104) [spring-boot-actuator-2.1.9.RELEASE.jar:2.1.9.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.1.10.RELEASE.jar:5.1.10.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-embed-core-9.0.26.jar:9.0.26]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-embed-core-9.0.26.jar:9.0.26]
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201) [spring-web-5.1.10.RELEASE.jar:5.1.10.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.1.10.RELEASE.jar:5.1.10.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-embed-core-9.0.26.jar:9.0.26]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-embed-core-9.0.26.jar:9.0.26]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202) [tomcat-embed-core-9.0.26.jar:9.0.26]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) [tomcat-embed-core-9.0.26.jar:9.0.26]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:526) [tomcat-embed-core-9.0.26.jar:9.0.26]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139) [tomcat-embed-core-9.0.26.jar:9.0.26]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) [tomcat-embed-core-9.0.26.jar:9.0.26]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) [tomcat-embed-core-9.0.26.jar:9.0.26]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) [tomcat-embed-core-9.0.26.jar:9.0.26]
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:408) [tomcat-embed-core-9.0.26.jar:9.0.26]
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) [tomcat-embed-core-9.0.26.jar:9.0.26]
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:860) [tomcat-embed-core-9.0.26.jar:9.0.26]
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1589) [tomcat-embed-core-9.0.26.jar:9.0.26]
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) [tomcat-embed-core-9.0.26.jar:9.0.26]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [na:1.8.0_131]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [na:1.8.0_131]
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-embed-core-9.0.26.jar:9.0.26]
at java.lang.Thread.run(Thread.java:748) [na:1.8.0_131]
2019-10-13 15:00:55.217 DEBUG 34683 --- [nio-8011-exec-6] o.s.s.w.a.ExceptionTranslationFilter : Calling Authentication entry point.
2019-10-13 15:00:55.217 DEBUG 34683 --- [nio-8011-exec-6] o.s.s.w.a.Http403ForbiddenEntryPoint : Pre-authenticated entry point called. Rejecting access
2019-10-13 15:00:55.217 DEBUG 34683 --- [nio-8011-exec-6] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher#46c5ddf9
2019-10-13 15:00:55.217 DEBUG 34683 --- [nio-8011-exec-6] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
2019-10-13 15:00:55.217 DEBUG 34683 --- [nio-8011-exec-6] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/error'; against 'users-ws/users/status/check'
2019-10-13 15:00:55.217 DEBUG 34683 --- [nio-8011-exec-6] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'GET /error' doesn't match 'POST users-ws/users/h2-console/**'
2019-10-13 15:00:55.218 DEBUG 34683 --- [nio-8011-exec-6] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'GET /error' doesn't match 'POST users-ws/users/createUser'
2019-10-13 15:00:55.218 DEBUG 34683 --- [nio-8011-exec-6] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'GET /error' doesn't match 'POST users-ws/users/login'
2019-10-13 15:00:55.218 DEBUG 34683 --- [nio-8011-exec-6] o.s.security.web.FilterChainProxy : /error at position 1 of 11 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2019-10-13 15:00:55.218 DEBUG 34683 --- [nio-8011-exec-6] o.s.security.web.FilterChainProxy : /error at position 2 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2019-10-13 15:00:55.218 DEBUG 34683 --- [nio-8011-exec-6] o.s.security.web.FilterChainProxy : /error at position 3 of 11 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2019-10-13 15:00:55.218 DEBUG 34683 --- [nio-8011-exec-6] o.s.security.web.FilterChainProxy : /error at position 4 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
2019-10-13 15:00:55.218 DEBUG 34683 --- [nio-8011-exec-6] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', GET]
2019-10-13 15:00:55.218 DEBUG 34683 --- [nio-8011-exec-6] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/error'; against '/logout'
2019-10-13 15:00:55.218 DEBUG 34683 --- [nio-8011-exec-6] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', POST]
2019-10-13 15:00:55.218 DEBUG 34683 --- [nio-8011-exec-6] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'GET /error' doesn't match 'POST /logout'
2019-10-13 15:00:55.218 DEBUG 34683 --- [nio-8011-exec-6] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', PUT]
2019-10-13 15:00:55.218 DEBUG 34683 --- [nio-8011-exec-6] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'GET /error' doesn't match 'PUT /logout'
2019-10-13 15:00:55.218 DEBUG 34683 --- [nio-8011-exec-6] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', DELETE]
2019-10-13 15:00:55.218 DEBUG 34683 --- [nio-8011-exec-6] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'GET /error' doesn't match 'DELETE /logout'
2019-10-13 15:00:55.218 DEBUG 34683 --- [nio-8011-exec-6] o.s.s.web.util.matcher.OrRequestMatcher : No matches found
2019-10-13 15:00:55.218 DEBUG 34683 --- [nio-8011-exec-6] o.s.security.web.FilterChainProxy : /error at position 5 of 11 in additional filter chain; firing Filter: 'AuthorizationFilter'
2019-10-13 15:00:55.218 DEBUG 34683 --- [nio-8011-exec-6] o.s.security.web.FilterChainProxy : /error at position 6 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2019-10-13 15:00:55.218 DEBUG 34683 --- [nio-8011-exec-6] o.s.security.web.FilterChainProxy : /error at position 7 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2019-10-13 15:00:55.218 DEBUG 34683 --- [nio-8011-exec-6] o.s.security.web.FilterChainProxy : /error at position 8 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2019-10-13 15:00:55.218 DEBUG 34683 --- [nio-8011-exec-6] o.s.s.w.a.AnonymousAuthenticationFilter : Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken#6910dd88: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
2019-10-13 15:00:55.218 DEBUG 34683 --- [nio-8011-exec-6] o.s.security.web.FilterChainProxy : /error at position 9 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter'
2019-10-13 15:00:55.218 DEBUG 34683 --- [nio-8011-exec-6] o.s.security.web.FilterChainProxy : /error at position 10 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2019-10-13 15:00:55.218 DEBUG 34683 --- [nio-8011-exec-6] o.s.security.web.FilterChainProxy : /error at position 11 of 11 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2019-10-13 15:00:55.219 DEBUG 34683 --- [nio-8011-exec-6] o.s.security.web.FilterChainProxy : /error reached end of additional filter chain; proceeding with original chain
2019-10-13 15:00:55.222 DEBUG 34683 --- [nio-8011-exec-6] o.s.s.w.a.ExceptionTranslationFilter : Chain processed normally
2019-10-13 15:00:55.222 DEBUG 34683 --- [nio-8011-exec-6] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
2019-10-13 15:00:55.895 INFO 34683 --- [freshExecutor-0] com.netflix.discovery.DiscoveryClient : Disable delta property : false
2019-10-13 15:00:55.895 INFO 34683 --- [freshExecutor-0] com.netflix.discovery.DiscoveryClient : Single vip registry refresh property : null
2019-10-13 15:00:55.895 INFO 34683 --- [freshExecutor-0] com.netflix.discovery.DiscoveryClient : Force full registry fetch : false
2019-10-13 15:00:55.895 INFO 34683 --- [freshExecutor-0] com.netflix.discovery.DiscoveryClient : Application is null : false
2019-10-13 15:00:55.895 INFO 34683 --- [freshExecutor-0] com.netflix.discovery.DiscoveryClient : Registered Applications size is zero : true
2019-10-13 15:00:55.895 INFO 34683 --- [freshExecutor-0] com.netflix.discovery.DiscoveryClient : Application version is -1: false
2019-10-13 15:00:55.895 INFO 34683 --- [freshExecutor-0] com.netflix.discovery.DiscoveryClient : Getting all instance registry info from the eureka server
2019-10-13 15:00:55.916 INFO 34683 --- [freshExecutor-0] com.netflix.discovery.DiscoveryClient : The response status is 200

You can add endpoints in configure(WebSecurity web) where you do not need to authenticate the user.
#Override
public void configure(WebSecurity web) throws Exception {
web
.ignoring()
.antMatchers(HttpMethod.GET,"users-ws/users/status/check")
.antMatchers(HttpMethod.POST,"users-ws/users/h2-console/**")
.antMatchers(HttpMethod.POST,"users-ws/users/createUser")
.antMatchers(HttpMethod.POST,"users-ws/users/login");
//completely bypass the Spring Security Filter Chain.
}
WebSecurity.java
#Configuration
#EnableWebSecurity
public class WebSecurity extends WebSecurityConfigurerAdapter {
#Autowired
Environment environment;
public WebSecurity(Environment environment) {
this.environment = environment;
}
#Override
public void configure(WebSecurity web) throws Exception {
web
.ignoring()
.antMatchers(HttpMethod.GET,"users-ws/users/status/check")
.antMatchers(HttpMethod.POST,"users-ws/users/h2-console/**")
.antMatchers(HttpMethod.POST,"users-ws/users/createUser")
.antMatchers(HttpMethod.POST,"users-ws/users/login");
//completely bypass the Spring Security Filter Chain.
}
#Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
http.headers().frameOptions().disable();
http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
http.authorizeRequests()
.anyRequest()
.authenticated()
.and()
.addFilter(new AuthorizationFilter(authenticationManager(),environment));
}
}

Spring Boot Security ignores cors configuration

I added Spring Security (5.0.0.RELEASE) with JWT Authentication to Spring Boot (1.5.7.RELEASE), but the CORS seems to not work.
I added the CORS configuration as described here.
I also tried adding #CrossOrigin to the controllers, but it doesn't seem to change anything.
When calling POST and GET requests from the front-end (Angular JS 5) there doesn't seem to be any CORS problem, but when calling DELETE I get CORS error.
Here's the security configuration:
#Configuration
#EnableWebSecurity
#EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true)
public class WebSecurity extends WebSecurityConfigurerAdapter {
private UserDetailsService userDetailsService;
private BCryptPasswordEncoder bCryptPasswordEncoder;
public WebSecurity(UserDetailsService userDetailsService, BCryptPasswordEncoder bCryptPasswordEncoder) {
this.userDetailsService = userDetailsService;
this.bCryptPasswordEncoder = bCryptPasswordEncoder;
}
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.cors()
.and()
.csrf()
.disable()
.authorizeRequests()
.antMatchers(HttpMethod.POST, SIGN_UP_URL).permitAll()
.antMatchers(HttpMethod.GET, ACTIVATE_URL).permitAll()
.antMatchers(AUTH_WHITELIST).permitAll()
.anyRequest().authenticated()
.and()
.addFilter(new JWTAuthenticationFilter(authenticationManager()))
.addFilter(new JWTAuthorizationFilter(authenticationManager()))
// this disables session creation on Spring Security
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}
#Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService).passwordEncoder(bCryptPasswordEncoder);
}
#Bean
CorsConfigurationSource corsConfigurationSource() {
final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
CorsConfiguration configuration = new CorsConfiguration().applyPermitDefaultValues();
configuration.setAllowedOrigins(Collections.singletonList("*"));
configuration.addAllowedMethod(HttpMethod.TRACE);
source.registerCorsConfiguration("/**", configuration);
return source;
}
}
And here are the headers from postman when sending OPTIONS request:
Allow →DELETE,GET,HEAD,POST
Cache-Control →no-cache, no-store, max-age=0, must-revalidate
Content-Length →0
Date →Fri, 12 Jan 2018 13:22:08 GMT
Expires →0
Pragma →no-cache
X-Content-Type-Options →nosniff
X-Frame-Options →DENY
X-XSS-Protection →1; mode=block
The allow-access-control-origin header is missing, as well as the HTTP TRACE I added to see if the configuration is working.
And the spring security debug logs:
2018-01-12 14:22:08.621 DEBUG 15619 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : /api/stories/7 at position 1 of 13 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2018-01-12 14:22:08.621 DEBUG 15619 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : /api/stories/7 at position 2 of 13 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2018-01-12 14:22:08.621 DEBUG 15619 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : /api/stories/7 at position 3 of 13 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2018-01-12 14:22:08.621 DEBUG 15619 --- [nio-8080-exec-3] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher#7ce27d90
2018-01-12 14:22:08.621 DEBUG 15619 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : /api/stories/7 at position 4 of 13 in additional filter chain; firing Filter: 'CorsFilter'
2018-01-12 14:22:08.621 DEBUG 15619 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : /api/stories/7 at position 5 of 13 in additional filter chain; firing Filter: 'LogoutFilter'
2018-01-12 14:22:08.621 DEBUG 15619 --- [nio-8080-exec-3] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', GET]
2018-01-12 14:22:08.621 DEBUG 15619 --- [nio-8080-exec-3] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'OPTIONS /api/stories/7' doesn't match 'GET /logout
2018-01-12 14:22:08.621 DEBUG 15619 --- [nio-8080-exec-3] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', POST]
2018-01-12 14:22:08.621 DEBUG 15619 --- [nio-8080-exec-3] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'OPTIONS /api/stories/7' doesn't match 'POST /logout
2018-01-12 14:22:08.621 DEBUG 15619 --- [nio-8080-exec-3] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', PUT]
2018-01-12 14:22:08.621 DEBUG 15619 --- [nio-8080-exec-3] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'OPTIONS /api/stories/7' doesn't match 'PUT /logout
2018-01-12 14:22:08.622 DEBUG 15619 --- [nio-8080-exec-3] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', DELETE]
2018-01-12 14:22:08.622 DEBUG 15619 --- [nio-8080-exec-3] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'OPTIONS /api/stories/7' doesn't match 'DELETE /logout
2018-01-12 14:22:08.622 DEBUG 15619 --- [nio-8080-exec-3] o.s.s.web.util.matcher.OrRequestMatcher : No matches found
2018-01-12 14:22:08.622 DEBUG 15619 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : /api/stories/7 at position 6 of 13 in additional filter chain; firing Filter: 'JWTAuthenticationFilter'
2018-01-12 14:22:08.622 DEBUG 15619 --- [nio-8080-exec-3] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/api/stories/7'; against '/api/users/login'
2018-01-12 14:22:08.622 DEBUG 15619 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : /api/stories/7 at position 7 of 13 in additional filter chain; firing Filter: 'JWTAuthorizationFilter'
2018-01-12 14:22:08.622 DEBUG 15619 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : /api/stories/7 at position 8 of 13 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2018-01-12 14:22:08.622 DEBUG 15619 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : /api/stories/7 at position 9 of 13 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2018-01-12 14:22:08.622 DEBUG 15619 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : /api/stories/7 at position 10 of 13 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2018-01-12 14:22:08.622 DEBUG 15619 --- [nio-8080-exec-3] o.s.s.w.a.AnonymousAuthenticationFilter : Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken#9055c2bc: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
2018-01-12 14:22:08.622 DEBUG 15619 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : /api/stories/7 at position 11 of 13 in additional filter chain; firing Filter: 'SessionManagementFilter'
2018-01-12 14:22:08.622 DEBUG 15619 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : /api/stories/7 at position 12 of 13 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2018-01-12 14:22:08.622 DEBUG 15619 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : /api/stories/7 at position 13 of 13 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2018-01-12 14:22:08.622 DEBUG 15619 --- [nio-8080-exec-3] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'OPTIONS /api/stories/7' doesn't match 'POST /api/users/register
2018-01-12 14:22:08.622 DEBUG 15619 --- [nio-8080-exec-3] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'OPTIONS /api/stories/7' doesn't match 'GET /api/users/activate/**
2018-01-12 14:22:08.622 DEBUG 15619 --- [nio-8080-exec-3] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/api/stories/7'; against '/api/users/login'
2018-01-12 14:22:08.622 DEBUG 15619 --- [nio-8080-exec-3] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/api/stories/7'; against '/api/users/request-reset-password'
2018-01-12 14:22:08.622 DEBUG 15619 --- [nio-8080-exec-3] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/api/stories/7'; against '/api/users/reset-password'
2018-01-12 14:22:08.622 DEBUG 15619 --- [nio-8080-exec-3] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/api/stories/7'; against '/api/stories'
2018-01-12 14:22:08.622 DEBUG 15619 --- [nio-8080-exec-3] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/api/stories/7'; against '/api/stories/*'
2018-01-12 14:22:08.622 DEBUG 15619 --- [nio-8080-exec-3] o.s.s.w.a.i.FilterSecurityInterceptor : Secure object: FilterInvocation: URL: /api/stories/7; Attributes: [permitAll]
2018-01-12 14:22:08.622 DEBUG 15619 --- [nio-8080-exec-3] o.s.s.w.a.i.FilterSecurityInterceptor : Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken#9055c2bc: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
2018-01-12 14:22:08.623 DEBUG 15619 --- [nio-8080-exec-3] o.s.s.access.vote.AffirmativeBased : Voter: org.springframework.security.web.access.expression.WebExpressionVoter#703f0616, returned: 1
2018-01-12 14:22:08.623 DEBUG 15619 --- [nio-8080-exec-3] o.s.s.w.a.i.FilterSecurityInterceptor : Authorization successful
2018-01-12 14:22:08.623 DEBUG 15619 --- [nio-8080-exec-3] o.s.s.w.a.i.FilterSecurityInterceptor : RunAsManager did not change Authentication object
2018-01-12 14:22:08.623 DEBUG 15619 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : /api/stories/7 reached end of additional filter chain; proceeding with original chain
2018-01-12 14:22:08.630 DEBUG 15619 --- [nio-8080-exec-3] o.s.s.w.a.ExceptionTranslationFilter : Chain processed normally
2018-01-12 14:22:08.630 DEBUG 15619 --- [nio-8080-exec-3] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
And here are the logs for Invalid CORS request:
2018-01-12 15:47:09.445 DEBUG 17909 --- [nio-8080-exec-2] o.s.security.web.FilterChainProxy : /api/users/bank-accounts/ at position 1 of 13 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2018-01-12 15:47:09.445 DEBUG 17909 --- [nio-8080-exec-2] o.s.security.web.FilterChainProxy : /api/users/bank-accounts/ at position 2 of 13 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2018-01-12 15:47:09.445 DEBUG 17909 --- [nio-8080-exec-2] o.s.security.web.FilterChainProxy : /api/users/bank-accounts/ at position 3 of 13 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2018-01-12 15:47:09.445 DEBUG 17909 --- [nio-8080-exec-2] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher#7d9c9d3c
2018-01-12 15:47:09.446 DEBUG 17909 --- [nio-8080-exec-2] o.s.security.web.FilterChainProxy : /api/users/bank-accounts/ at position 4 of 13 in additional filter chain; firing Filter: 'CorsFilter'
2018-01-12 15:47:09.446 DEBUG 17909 --- [nio-8080-exec-2] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed

When using a breakpoint as dur sugested it turned out allowMethods was always null
Adding the following line to corsConfigurationSource fixed it:
configuration.setAllowedMethods(Arrays.asList("GET", "POST", "DELETE", "OPTIONS"));

Stackoverflow error spring data jpa

I have this simple get request to get information based on topicId that is stored in db as 1486485753923
#RequestMapping(path = "/get_topic_details", method = RequestMethod.GET)
public ResponseEntity get_topic_details(#RequestParam(value="topicId") long topicId) throws Exception {
System.out.println("Topic id is " + topicId);
TopicBean topicBean = topicService.findByTopicId(topicId);
return new ResponseEntity(topicBean, HttpStatus.OK);
}
Repository:
#Repository
public interface TopicRepository extends JpaRepository<TopicBean, Long>{
List<TopicBean> findTop10ByUsername(String username);
Page<TopicBean> findAllByPage(Pageable pageable);
// #Query("SELECT t FROM TopicBean t WHERE (t.topicId) = (:topicId)")
TopicBean findByTopicId(long topicId);
#Transactional
Long deleteByTopicId(String topicId);
List<TopicBean> findByUsername(String username);
}
And I get this error:
2017-02-17 13:44:50.542 DEBUG 4828 --- [nio-8080-exec-1] .m.m.a.ExceptionHandlerExceptionResolver : Resolving exception from handler [public org.springframework.http.ResponseEntity seconds47.restAPI.TopicsRest.get_topic_details(long) throws java.lang.Exception]: org.springframework.web.util.NestedServletException: Handler dispatch failed; nested exception is java.lang.StackOverflowError
org.springframework.web.util.NestedServletException: Handler dispatch failed; nested exception is java.lang.StackOverflowError
at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:978) ~[spring-webmvc-4.3.5.RELEASE.jar:4.3.5.RELEASE]
at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:897) ~[spring-webmvc-4.3.5.RELEASE.jar:4.3.5.RELEASE]
at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:970) [spring-webmvc-4.3.5.RELEASE.jar:4.3.5.RELEASE]
at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:861) [spring-webmvc-4.3.5.RELEASE.jar:4.3.5.RELEASE]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:622) [tomcat-embed-core-8.5.6.jar:8.5.6]
at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:846) [spring-webmvc-4.3.5.RELEASE.jar:4.3.5.RELEASE]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:729) [tomcat-embed-core-8.5.6.jar:8.5.6]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:230) [tomcat-embed-core-8.5.6.jar:8.5.6]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165) [tomcat-embed-core-8.5.6.jar:8.5.6]
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) [tomcat-embed-websocket-8.5.6.jar:8.5.6]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192) [tomcat-embed-core-8.5.6.jar:8.5.6]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165) [tomcat-embed-core-8.5.6.jar:8.5.6]
at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99) [spring-web-4.3.5.RELEASE.jar:4.3.5.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-4.3.5.RELEASE.jar:4.3.5.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192) [tomcat-embed-core-8.5.6.jar:8.5.6]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165) [tomcat-embed-core-8.5.6.jar:8.5.6]
at org.springframework.web.filter.HttpPutFormContentFilter.doFilterInternal(HttpPutFormContentFilter.java:89) [spring-web-4.3.5.RELEASE.jar:4.3.5.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-4.3.5.RELEASE.jar:4.3.5.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192) [tomcat-embed-core-8.5.6.jar:8.5.6]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165) [tomcat-embed-core-8.5.6.jar:8.5.6]
at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:77) [spring-web-4.3.5.RELEASE.jar:4.3.5.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-4.3.5.RELEASE.jar:4.3.5.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192) [tomcat-embed-core-8.5.6.jar:8.5.6]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165) [tomcat-embed-core-8.5.6.jar:8.5.6]
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:197) [spring-web-4.3.5.RELEASE.jar:4.3.5.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-4.3.5.RELEASE.jar:4.3.5.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192) [tomcat-embed-core-8.5.6.jar:8.5.6]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165) [tomcat-embed-core-8.5.6.jar:8.5.6]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198) [tomcat-embed-core-8.5.6.jar:8.5.6]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:108) [tomcat-embed-core-8.5.6.jar:8.5.6]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472) [tomcat-embed-core-8.5.6.jar:8.5.6]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140) [tomcat-embed-core-8.5.6.jar:8.5.6]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79) [tomcat-embed-core-8.5.6.jar:8.5.6]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) [tomcat-embed-core-8.5.6.jar:8.5.6]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:349) [tomcat-embed-core-8.5.6.jar:8.5.6]
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:784) [tomcat-embed-core-8.5.6.jar:8.5.6]
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) [tomcat-embed-core-8.5.6.jar:8.5.6]
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:802) [tomcat-embed-core-8.5.6.jar:8.5.6]
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1410) [tomcat-embed-core-8.5.6.jar:8.5.6]
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) [tomcat-embed-core-8.5.6.jar:8.5.6]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [?:1.8.0_102]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [?:1.8.0_102]
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-embed-core-8.5.6.jar:8.5.6]
at java.lang.Thread.run(Thread.java:745) [?:1.8.0_102]
Printing Debug info:
2017-02-17 13:44:51.132 DEBUG 4828 --- [nio-8080-exec-1] o.s.w.s.DispatcherServlet : DispatcherServlet with name 'dispatcherServlet' processing GET request for [/error]
2017-02-17 13:44:51.132 DEBUG 4828 --- [nio-8080-exec-1] s.w.s.m.m.a.RequestMappingHandlerMapping : Looking up handler method for path /error
2017-02-17 13:44:51.134 DEBUG 4828 --- [nio-8080-exec-1] s.w.s.m.m.a.RequestMappingHandlerMapping : Returning handler method [public org.springframework.http.ResponseEntity<java.util.Map<java.lang.String, java.lang.Object>> org.springframework.boot.autoconfigure.web.BasicErrorController.error(javax.servlet.http.HttpServletRequest)]
2017-02-17 13:44:51.134 DEBUG 4828 --- [nio-8080-exec-1] o.s.w.s.DispatcherServlet : Last-Modified value for [/error] is: -1
2017-02-17 13:44:51.270 DEBUG 4828 --- [nio-8080-exec-1] o.s.w.s.m.m.a.HttpEntityMethodProcessor : Written [{timestamp=Fri Feb 17 13:44:51 IST 2017, status=500, error=Internal Server Error, exception=java.lang.StackOverflowError, message=No message available, path=/get_topic_details}] as "application/json" using [org.springframework.http.converter.json.MappingJackson2HttpMessageConverter#2e3900dc]
2017-02-17 13:44:51.272 DEBUG 4828 --- [nio-8080-exec-1] o.s.w.s.DispatcherServlet : Null ModelAndView returned to DispatcherServlet with name 'dispatcherServlet': assuming HandlerAdapter completed request handling
2017-02-17 13:44:51.272 DEBUG 4828 --- [nio-8080-exec-1] o.s.w.s.DispatcherServlet : Successfully completed request
2017-02-17 13:44:51.306 DEBUG 4828 --- [nio-8080-exec-2] o.s.w.s.DispatcherServlet : DispatcherServlet with name 'dispatcherServlet' processing GET request for [/get_comments_by_topicId]
2017-02-17 13:44:51.307 DEBUG 4828 --- [nio-8080-exec-2] s.w.s.m.m.a.RequestMappingHandlerMapping : Looking up handler method for path /get_comments_by_topicId
2017-02-17 13:44:51.308 DEBUG 4828 --- [nio-8080-exec-2] s.w.s.m.m.a.RequestMappingHandlerMapping : Returning handler method [public java.util.List<seconds47.beans.CommentBean> seconds47.restAPI.CommentRest.getCommentsByTopicId(java.lang.String)]
2017-02-17 13:44:51.308 DEBUG 4828 --- [nio-8080-exec-2] o.s.w.s.DispatcherServlet : Last-Modified value for [/get_comments_by_topicId] is: -1
2017-02-17 13:44:51.325 DEBUG 4828 --- [nio-8080-exec-2] o.h.j.c.CriteriaQueryImpl : Rendered criteria query -> select generatedAlias0 from CommentBean as generatedAlias0 where generatedAlias0.topicId=:param0
2017-02-17 13:44:51.347 DEBUG 4828 --- [nio-8080-exec-2] o.h.h.i.QueryTranslatorFactoryInitiator : QueryTranslatorFactory : org.hibernate.hql.internal.ast.ASTQueryTranslatorFactory#22d0cb47
2017-02-17 13:44:51.347 INFO 4828 --- [nio-8080-exec-2] o.h.h.i.QueryTranslatorFactoryInitiator : HHH000397: Using ASTQueryTranslatorFactory
2017-02-17 13:44:51.422 DEBUG 4828 --- [nio-8080-exec-2] o.h.h.i.a.QueryTranslatorImpl : parse() - HQL: select generatedAlias0 from seconds47.beans.CommentBean as generatedAlias0 where generatedAlias0.topicId=:param0
2017-02-17 13:44:51.444 DEBUG 4828 --- [nio-8080-exec-2] o.h.h.i.a.QueryTranslatorImpl : --- HQL AST ---
\-[QUERY] Node: 'query'
+-[SELECT_FROM] Node: 'SELECT_FROM'
| +-[FROM] Node: 'from'
| | \-[RANGE] Node: 'RANGE'
| | +-[DOT] Node: '.'
| | | +-[DOT] Node: '.'
| | | | +-[IDENT] Node: 'seconds47'
| | | | \-[IDENT] Node: 'beans'
| | | \-[IDENT] Node: 'CommentBean'
| | \-[ALIAS] Node: 'generatedAlias0'
| \-[SELECT] Node: 'select'
| \-[IDENT] Node: 'generatedAlias0'
\-[WHERE] Node: 'where'
\-[EQ] Node: '='
+-[DOT] Node: '.'
| +-[IDENT] Node: 'generatedAlias0'
| \-[IDENT] Node: 'topicId'
\-[COLON] Node: ':'
\-[IDENT] Node: 'param0'
2017-02-17 13:44:51.444 DEBUG 4828 --- [nio-8080-exec-2] o.h.h.i.a.ErrorCounter : throwQueryException() : no errors
2017-02-17 13:44:51.508 DEBUG 4828 --- [nio-8080-exec-2] o.h.h.i.a.HqlSqlBaseWalker : select << begin [level=1, statement=select]
2017-02-17 13:44:51.540 DEBUG 4828 --- [nio-8080-exec-2] o.h.h.i.a.t.FromElement : FromClause{level=1} : seconds47.beans.CommentBean (generatedAlias0) -> commentbea0_
2017-02-17 13:44:51.542 DEBUG 4828 --- [nio-8080-exec-2] o.h.h.i.a.t.FromReferenceNode : Resolved : generatedAlias0 -> commentbea0_.id
2017-02-17 13:44:51.550 DEBUG 4828 --- [nio-8080-exec-2] o.h.h.i.a.t.FromReferenceNode : Resolved : generatedAlias0 -> commentbea0_.id
2017-02-17 13:44:51.552 DEBUG 4828 --- [nio-8080-exec-2] o.h.h.i.a.t.DotNode : getDataType() : topicId -> org.hibernate.type.StringType#3af10d0b
2017-02-17 13:44:51.553 DEBUG 4828 --- [nio-8080-exec-2] o.h.h.i.a.t.FromReferenceNode : Resolved : generatedAlias0.topicId -> commentbea0_.topicId
2017-02-17 13:44:51.557 DEBUG 4828 --- [nio-8080-exec-2] o.h.h.i.a.HqlSqlBaseWalker : select : finishing up [level=1, statement=select]
2017-02-17 13:44:51.557 DEBUG 4828 --- [nio-8080-exec-2] o.h.h.i.a.HqlSqlWalker : processQuery() : ( SELECT ( {select clause} commentbea0_.id ) ( FromClause{level=1} comments commentbea0_ ) ( where ( = ( commentbea0_.topicId commentbea0_.id topicId ) ? ) ) )
2017-02-17 13:44:51.572 DEBUG 4828 --- [nio-8080-exec-2] o.h.h.i.a.u.JoinProcessor : Using FROM fragment [comments commentbea0_]
2017-02-17 13:44:51.572 DEBUG 4828 --- [nio-8080-exec-2] o.h.h.i.a.HqlSqlBaseWalker : select >> end [level=1, statement=select]
2017-02-17 13:44:51.573 DEBUG 4828 --- [nio-8080-exec-2] o.h.h.i.a.QueryTranslatorImpl : --- SQL AST ---
\-[SELECT] QueryNode: 'SELECT' querySpaces (comments)
+-[SELECT_CLAUSE] SelectClause: '{select clause}'
| +-[ALIAS_REF] IdentNode: 'commentbea0_.id as id1_2_' {alias=generatedAlias0, className=seconds47.beans.CommentBean, tableAlias=commentbea0_}
| \-[SQL_TOKEN] SqlFragment: 'commentbea0_.commentDate as commentD2_2_, commentbea0_.commentId as commentI3_2_, commentbea0_.comments as comments4_2_, commentbea0_.topicId as topicId5_2_, commentbea0_.userImage as userImag6_2_, commentbea0_.username as username7_2_'
+-[FROM] FromClause: 'from' FromClause{level=1, fromElementCounter=1, fromElements=1, fromElementByClassAlias=[generatedAlias0], fromElementByTableAlias=[commentbea0_], fromElementsByPath=[], collectionJoinFromElementsByPath=[], impliedElements=[]}
| \-[FROM_FRAGMENT] FromElement: 'comments commentbea0_' FromElement{explicit,not a collection join,not a fetch join,fetch non-lazy properties,classAlias=generatedAlias0,role=null,tableName=comments,tableAlias=commentbea0_,origin=null,columns={,className=seconds47.beans.CommentBean}}
\-[WHERE] SqlNode: 'where'
\-[EQ] BinaryLogicOperatorNode: '='
+-[DOT] DotNode: 'commentbea0_.topicId' {propertyName=topicId,dereferenceType=PRIMITIVE,getPropertyPath=topicId,path=generatedAlias0.topicId,tableAlias=commentbea0_,className=seconds47.beans.CommentBean,classAlias=generatedAlias0}
| +-[ALIAS_REF] IdentNode: 'commentbea0_.id' {alias=generatedAlias0, className=seconds47.beans.CommentBean, tableAlias=commentbea0_}
| \-[IDENT] IdentNode: 'topicId' {originalText=topicId}
\-[NAMED_PARAM] ParameterNode: '?' {name=param0, expectedType=org.hibernate.type.StringType#3af10d0b}
2017-02-17 13:44:51.573 DEBUG 4828 --- [nio-8080-exec-2] o.h.h.i.a.ErrorCounter : throwQueryException() : no errors
2017-02-17 13:44:51.585 DEBUG 4828 --- [nio-8080-exec-2] o.h.h.i.a.QueryTranslatorImpl : HQL: select generatedAlias0 from seconds47.beans.CommentBean as generatedAlias0 where generatedAlias0.topicId=:param0
2017-02-17 13:44:51.586 DEBUG 4828 --- [nio-8080-exec-2] o.h.h.i.a.QueryTranslatorImpl : SQL: select commentbea0_.id as id1_2_, commentbea0_.commentDate as commentD2_2_, commentbea0_.commentId as commentI3_2_, commentbea0_.comments as comments4_2_, commentbea0_.topicId as topicId5_2_, commentbea0_.userImage as userImag6_2_, commentbea0_.username as username7_2_ from comments commentbea0_ where commentbea0_.topicId=?
2017-02-17 13:44:51.586 DEBUG 4828 --- [nio-8080-exec-2] o.h.h.i.a.ErrorCounter : throwQueryException() : no errors
2017-02-17 13:44:51.645 DEBUG 4828 --- [nio-8080-exec-2] o.h.SQL : select commentbea0_.id as id1_2_, commentbea0_.commentDate as commentD2_2_, commentbea0_.commentId as commentI3_2_, commentbea0_.comments as comments4_2_, commentbea0_.topicId as topicId5_2_, commentbea0_.userImage as userImag6_2_, commentbea0_.username as username7_2_ from comments commentbea0_ where commentbea0_.topicId=?
2017-02-17 13:44:51.702 DEBUG 4828 --- [nio-8080-exec-2] m.m.a.RequestResponseBodyMethodProcessor : Written [[]] as "application/json" using [org.springframework.http.converter.json.MappingJackson2HttpMessageConverter#2e3900dc]
2017-02-17 13:44:51.702 DEBUG 4828 --- [nio-8080-exec-2] o.s.w.s.DispatcherServlet : Null ModelAndView returned to DispatcherServlet with name 'dispatcherServlet': assuming HandlerAdapter completed request handling
2017-02-17 13:44:51.702 DEBUG 4828 --- [nio-8080-exec-2] o.s.w.s.DispatcherServlet : Successfully completed request
I don't understand what is the issue here.
Any body please help. I have been trying to fix this from last two days.

I can't comment yet so I'll write here. The problem might be in your ResponseEntity. Please post the code from that class too. Stackoverflow makes me think of recursion and self referencing methods. Anything like that going on anywhere?

Oauth2 is rejecting the request for login page how do I fix

I've enabled OAuth2 in my Spring IO 2.0.6 Platform as follows
#EnableWebSecurity
#EnableResourceServer
#EnableAuthorizationServer
class WebSecurityConfig extends WebSecurityConfigurerAdapter {
#Override
protected void configure( final HttpSecurity http ) throws Exception {
http.authorizeRequests()
.antMatchers( "/**" )
.permitAll()
.anyRequest().authenticated()
.and()
.formLogin().and()
.httpBasic();
}
}
but when I go to / for my index.html which has my login form I receive the following.
<oauth>
<error_description>
Full authentication is required to access this resource
</error_description>
<error>unauthorized</error>
</oauth>
here's what appears to be relevant debug level logsj
2016-07-20 17:34:50.063 DEBUG 15064 --- [nio-8080-exec-1] o.s.b.c.web.OrderedRequestContextFilter : Bound request context to thread: org.apache.catalina.connector.RequestFacade#174f5835
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/css/**']
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/'; against '/css/**'
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/js/**']
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/'; against '/js/**'
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/images/**']
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/'; against '/images/**'
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/**/favicon.ico']
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/'; against '/**/favicon.ico'
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/error']
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/'; against '/error'
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher : No matches found
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/oauth/token']
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/'; against '/oauth/token'
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/oauth/token_key']
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/'; against '/oauth/token_key'
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/oauth/check_token']
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/'; against '/oauth/check_token'
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher : No matches found
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : / at position 1 of 11 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : / at position 2 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : / at position 3 of 11 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher#6c710c23
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : / at position 4 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/'; against '/logout'
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : / at position 5 of 11 in additional filter chain; firing Filter: 'OAuth2AuthenticationProcessingFilter'
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.s.o.p.a.BearerTokenExtractor : Token not found in headers. Trying request parameters.
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.s.o.p.a.BearerTokenExtractor : Token not found in request parameters. Not an OAuth2 request.
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] p.a.OAuth2AuthenticationProcessingFilter : No token in request, will continue chain.
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : / at position 6 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : / at position 7 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : / at position 8 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.s.w.a.AnonymousAuthenticationFilter : Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken#9055c2bc: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : / at position 9 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter'
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.s.w.session.SessionManagementFilter : Requested session ID B18ACABBAAF00852E3373A4EB0BDDCE2 is invalid.
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : / at position 10 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : / at position 11 of 11 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2016-07-20 17:34:50.065 DEBUG 15064 --- [nio-8080-exec-1] o.s.s.w.a.i.FilterSecurityInterceptor : Secure object: FilterInvocation: URL: /; Attributes: [#oauth2.throwOnError(authenticated)]
2016-07-20 17:34:50.065 DEBUG 15064 --- [nio-8080-exec-1] o.s.s.w.a.i.FilterSecurityInterceptor : Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken#9055c2bc: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
2016-07-20 17:34:50.066 DEBUG 15064 --- [nio-8080-exec-1] o.s.s.access.vote.AffirmativeBased : Voter: org.springframework.security.web.access.expression.WebExpressionVoter#1a3d182d, returned: -1
2016-07-20 17:34:50.066 DEBUG 15064 --- [nio-8080-exec-1] o.s.b.f.s.DefaultListableBeanFactory : Returning cached instance of singleton bean 'delegatingApplicationListener'
2016-07-20 17:34:50.066 DEBUG 15064 --- [nio-8080-exec-1] o.s.b.f.s.DefaultListableBeanFactory : Returning cached instance of singleton bean 'authorizationAuditListener'
2016-07-20 17:34:50.067 DEBUG 15064 --- [nio-8080-exec-1] o.s.b.f.s.DefaultListableBeanFactory : Returning cached instance of singleton bean 'delegatingApplicationListener'
2016-07-20 17:34:50.067 DEBUG 15064 --- [nio-8080-exec-1] o.s.b.f.s.DefaultListableBeanFactory : Returning cached instance of singleton bean 'auditListener'
2016-07-20 17:34:50.067 DEBUG 15064 --- [nio-8080-exec-1] o.s.b.a.audit.listener.AuditListener : AuditEvent [timestamp=Wed Jul 20 17:34:50 CDT 2016, principal=anonymousUser, type=AUTHORIZATION_FAILURE, data={type=org.springframework.security.access.AccessDeniedException, message=Access is denied}]
2016-07-20 17:34:50.068 DEBUG 15064 --- [nio-8080-exec-1] o.s.s.w.a.ExceptionTranslationFilter : Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied
at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:83) ~[spring-security-core-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:232) ~[spring-security-core-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:123) ~[spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:90) ~[spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) [spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:114) ~[spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) [spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:122) [spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) [spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:111) [spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) [spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:169) [spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) [spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:48) [spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) [spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.security.oauth2.provider.authentication.OAuth2AuthenticationProcessingFilter.doFilter(OAuth2AuthenticationProcessingFilter.java:176) [spring-security-oauth2-2.0.10.RELEASE.jar:na]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) [spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:120) [spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) [spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:64) [spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-4.2.7.RELEASE.jar:4.2.7.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) [spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:91) [spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) [spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:53) [spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-4.2.7.RELEASE.jar:4.2.7.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) [spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:213) [spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:176) [spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346) [spring-web-4.2.7.RELEASE.jar:4.2.7.RELEASE]
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262) [spring-web-4.2.7.RELEASE.jar:4.2.7.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) [tomcat-embed-core-8.0.36.jar:8.0.36]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) [tomcat-embed-core-8.0.36.jar:8.0.36]
at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99) [spring-web-4.2.7.RELEASE.jar:4.2.7.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-4.2.7.RELEASE.jar:4.2.7.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) [tomcat-embed-core-8.0.36.jar:8.0.36]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) [tomcat-embed-core-8.0.36.jar:8.0.36]
at org.springframework.web.filter.HttpPutFormContentFilter.doFilterInternal(HttpPutFormContentFilter.java:87) [spring-web-4.2.7.RELEASE.jar:4.2.7.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-4.2.7.RELEASE.jar:4.2.7.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) [tomcat-embed-core-8.0.36.jar:8.0.36]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) [tomcat-embed-core-8.0.36.jar:8.0.36]
at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:77) [spring-web-4.2.7.RELEASE.jar:4.2.7.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-4.2.7.RELEASE.jar:4.2.7.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) [tomcat-embed-core-8.0.36.jar:8.0.36]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) [tomcat-embed-core-8.0.36.jar:8.0.36]
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:121) [spring-web-4.2.7.RELEASE.jar:4.2.7.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-4.2.7.RELEASE.jar:4.2.7.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) [tomcat-embed-core-8.0.36.jar:8.0.36]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) [tomcat-embed-core-8.0.36.jar:8.0.36]
at org.springframework.boot.actuate.autoconfigure.MetricsFilter.doFilterInternal(MetricsFilter.java:103) [spring-boot-actuator-1.3.6.RELEASE.jar:1.3.6.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-4.2.7.RELEASE.jar:4.2.7.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) [tomcat-embed-core-8.0.36.jar:8.0.36]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) [tomcat-embed-core-8.0.36.jar:8.0.36]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212) [tomcat-embed-core-8.0.36.jar:8.0.36]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106) [tomcat-embed-core-8.0.36.jar:8.0.36]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502) [tomcat-embed-core-8.0.36.jar:8.0.36]
at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:676) [tomcat-embed-core-8.0.36.jar:8.0.36]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141) [tomcat-embed-core-8.0.36.jar:8.0.36]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79) [tomcat-embed-core-8.0.36.jar:8.0.36]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88) [tomcat-embed-core-8.0.36.jar:8.0.36]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:528) [tomcat-embed-core-8.0.36.jar:8.0.36]
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1099) [tomcat-embed-core-8.0.36.jar:8.0.36]
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:670) [tomcat-embed-core-8.0.36.jar:8.0.36]
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1520) [tomcat-embed-core-8.0.36.jar:8.0.36]
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1476) [tomcat-embed-core-8.0.36.jar:8.0.36]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [na:1.8.0_92]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [na:1.8.0_92]
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-embed-core-8.0.36.jar:8.0.36]
at java.lang.Thread.run(Thread.java:745) [na:1.8.0_92]
2016-07-20 17:34:50.068 DEBUG 15064 --- [nio-8080-exec-1] o.s.s.w.a.ExceptionTranslationFilter : Calling Authentication entry point.
2016-07-20 17:34:50.072 DEBUG 15064 --- [nio-8080-exec-1] s.s.o.p.e.DefaultOAuth2ExceptionRenderer : Written [error="unauthorized", error_description="Full authentication is required to access this resource"] as "application/xhtml+xml" using [org.springframework.security.oauth2.http.converter.jaxb.JaxbOAuth2ExceptionMessageConverter#c4b9155]
2016-07-20 17:34:50.072 DEBUG 15064 --- [nio-8080-exec-1] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
What do I need to do to allow requests through to my /?

It appears I have to do the following, / and /index.html are both required, the rest depends on your layout, though I did have to define allowing the /webjars/ which is surprising
#EnableWebSecurity
#EnableResourceServer
#EnableAuthorizationServer
class WebSecurityConfig extends WebSecurityConfigurerAdapter {
#Override
public void configure( final WebSecurity web ) throws Exception {
web.ignoring()
.antMatchers( "/", "/index.html", "/partials/**/*.html" )
.antMatchers( "/webjars/**/*.js" )
.antMatchers( "/webjars/**/*.css" );
}
#Override
protected void configure( final HttpSecurity http ) throws Exception {
super.configure( http );
}
}