I have a problem with my Spring Boot application in security configuration. I want to apply basic authentication in a URL. My app's default URL is app/v1/items
and my ap'sp secure URL is app/v1/secure/items.
With given configuration basic authentication is not working and I can get items from both URLs. I can not configure the antMatchers.
How can it handle it?
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/**").permitAll()
.antMatchers("/secure").access("hasRole('USER')")
.anyRequest().authenticated();
http
.httpBasic();
http
.csrf().disable();
}
try this code please.
#Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/app/v1/items/**").permitAll()
.antMatchers("/app/v1/secure/items/**").hasAuthority("USER")
.anyRequest().authenticated();
http.httpBasic();
http.csrf().disable();
}
Related
I have been trying to add user roles in my Spring boot application, but i'm getting error code: 403 forbidden.
This is my securtiy configuration :-
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.httpBasic().disable().exceptionHandling().authenticationEntryPoint(restAuthenticationEntryPoint())
.and().addFilterBefore(new FirebaseIdTokenFilter(), BasicAuthenticationFilter.class)
.authorizeRequests()
.antMatchers("/test").hasAuthority("ROLES_ADMIN")
}
And i have this key "authorities" in my JWT token.
{"authorities": "ROLES_ADMIN"}
What am i doing wrong?
I am writing a Java Spring Boot application that incorporates the Spring Boot Security in my pom.xml. However, It works when I redirect from login to my /home. Though when I change the page again or do a simple ajax call, I get passed a 403 error. I believe it has to do with the security and that page not having the proper access. I am looking for the best way to solve this with still keep my security intake.
Java Security:
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest().fullyAuthenticated()
.and()
.formLogin()
.successHandler(new CustomAuthenticationSuccessHandler()) // On authentication success custom handler
.and()
.logout().logoutRequestMatcher(new AntPathRequestMatcher("/logout")).logoutSuccessUrl("/login");
}
Java Success Handler:
#Override
public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response,
Authentication authentication) throws IOException, ServletException {
String principal = authentication.getName();
System.out.println("Successful login: principal " + principal);
ADID = principal;
response.sendRedirect("/dashboard");
}
Error in Controller:
Error 403 : http://localhost:8080/edit/ajax/doesSomething
So the /dashboard is the first page I get to if the login is successful, then after that the client inputs some fields and is moved to another page that calls a different URL path. It fails I assume when it calls the other paths that are not /dashboard
Your problem is CSRF token. You can disable it in the security configure but it is better you use it. See this site for more information.
Try this ...
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest().permitAll()
.and()
.formLogin()
.successHandler(new CustomAuthenticationSuccessHandler())
.and()
.logout().logoutRequestMatcher(new
AntPathRequestMatcher("/logout")).logoutSuccessUrl("/login");
}
or disable CSRF as quick fix.
http.csrf().disable();
Add this in java security. This will permit requests to any endpoint or specified ones:
`
#Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/**").antMatchers("/example/endpoint");
}
`
And you can also keep your
protected void configure(HttpSecurity http) throws Exception
My aim is to add security class to my Java project except paths like "api/public/*".
When I request in POSTMAN
http://localhost:8080/api/public/signup
with a json body, I get 401. Here's my security class which permits all matchers of api/public/*:
What am I missing?
#Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity
// we don't need CSRF because our token is invulnerable
.cors()
.and()
.csrf().disable()
.exceptionHandling().authenticationEntryPoint(unauthorizedHandler)
// don't create session
.and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.antMatchers("/api/public/**").permitAll()
.anyRequest().authenticated();
// Custom JWT based security filter
JwtAuthorizationTokenFilter authenticationTokenFilter = new JwtAuthorizationTokenFilter(userDetailsService(), jwtTokenUtil);
httpSecurity
.addFilterBefore(authenticationTokenFilter, UsernamePasswordAuthenticationFilter.class);
// disable page caching
httpSecurity
.headers()
.frameOptions().sameOrigin() // required to set for H2 else H2 Console will be blank.
.cacheControl();
}
#Override
public void configure(WebSecurity web) throws Exception {
// AuthenticationTokenFilter will ignore the below paths
web
.ignoring()
.antMatchers("/api/public/*");
}
Mvn clean solved my problem. It seems build somehow stuck in a previous state.
mvn clean
I want to map local folder to localhost:8080 How can I achieve this.
I am using spring boot. have given permitall to public/pic folder.
how to open in browser like below.
http://localhost:8080/public/pic/default.jpg
above link gives 401 and asks for username and password.
using below code for security in spring
#Override
protected void configure (HttpSecurity http) throws Exception {
http.csrf().disable();
http.cors().disable();
http.authorizeRequests()
.antMatchers("/public/pic/**").permitAll()
.anyRequest().authenticated()
.and()
.httpBasic()
.and()
.logout();
// #formatter:on
}
where should be the folder /public/pic in local system?
Try to add to your config
#Override
public void configure(WebSecurity webSecurity) {
webSecurity.ignoring().antMatchers("/public/pic/**");
}
Spring Security "will provide you with a login form"...https://docs.spring.io/spring-security/site/docs/current/guides/html5/hellomvc-javaconfig.html
So how can I trigger the built-in form on the secured requests?
#Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("admin").password("admin").roles("ADMIN", "USER").and()
.withUser("guest").password("guest").roles("USER");
}
#Override
public void configure(HttpSecurity http) throws Exception {
http
.httpBasic().and()
.authorizeRequests()
.antMatchers(HttpMethod.POST,"/test").hasRole("ADMIN")
.antMatchers(HttpMethod.PUT,"/test/**").hasRole("ADMIN")
.antMatchers(HttpMethod.DELETE,"/test/**").hasRole("ADMIN")
.antMatchers(HttpMethod.PATCH,"/test/**").hasRole("ADMIN").and()
.formLogin()
.and()
.csrf().disable();
}
When I make a POST to "/test" without signing in, it is correctly prevented and secured, but I'd like Spring to trigger its login form when the request is made from my front-end. Especially without creation of an html file, or a /login Controller, which seems like this feature makes possible.