I am implementing OAuth2 authorization grant flow.
When logging in through the Login page, the user is able to receive an access token. However, when I pass the access token to call an endpoint, which requires authentication, it triggers an exception.
Here are some logs:
|2017-08-05 22:37:54.102 INFO 18809 --- [ main] o.s.s.web.DefaultSecurityFilterChain : Creating filter
chain:
org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfiguration$NotOAuthRequestMatcher#7efa3f63,
[
org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter#7134b8a7,
org.springframework.security.web.context.SecurityContextPersistenceFilter#3ff54f3d,
org.springframework.security.web.header.HeaderWriterFilter#7b61bf11,
org.springframework.security.web.authentication.logout.LogoutFilter#18b74ea,
org.springframework.security.oauth2.provider.authentication.OAuth2AuthenticationProcessingFilter#1665fa54,
org.springframework.security.web.savedrequest.RequestCacheAwareFilter#14c93774,
org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter#62a68bcb,
org.springframework.security.web.authentication.AnonymousAuthenticationFilter#2262d6d5,
org.springframework.security.web.session.SessionManagementFilter#40247d48,
org.springframework.security.web.access.ExceptionTranslationFilter#315105f,
org.springframework.security.web.access.intercept.FilterSecurityInterceptor#70025b99]
As you can see, there is an OAuth2AuthenticationProcessingFilter in the chain.
However, when I call an endpoint, I get the following log:
.808 DEBUG 19570 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : /users at position 1 of 11 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2017-08-05 23:14:24.808 DEBUG 19570 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : /users at position 2 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2017-08-05 23:14:24.808 DEBUG 19570 --- [nio-8080-exec-3] w.c.HttpSessionSecurityContextRepository : No HttpSession currently exists
2017-08-05 23:14:24.808 DEBUG 19570 --- [nio-8080-exec-3] w.c.HttpSessionSecurityContextRepository : No SecurityContext was available from the HttpSession: null. A new one will be created.
2017-08-05 23:14:24.808 DEBUG 19570 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : /users at position 3 of 11 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2017-08-05 23:14:24.809 DEBUG 19570 --- [nio-8080-exec-3] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher#7091e577
2017-08-05 23:14:24.809 DEBUG 19570 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : /users at position 4 of 11 in additional filter chain; firing Filter: 'CsrfFilter'
2017-08-05 23:14:24.810 DEBUG 19570 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : /users at position 5 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
2017-08-05 23:14:24.810 DEBUG 19570 --- [nio-8080-exec-3] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'GET /users' doesn't match 'POST /logout
2017-08-05 23:14:24.810 DEBUG 19570 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : /users at position 6 of 11 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
2017-08-05 23:14:24.810 DEBUG 19570 --- [nio-8080-exec-3] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'GET /users' doesn't match 'POST /login
2017-08-05 23:14:24.810 DEBUG 19570 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : /users at position 7 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2017-08-05 23:14:24.810 DEBUG 19570 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : /users at position 8 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2017-08-05 23:14:24.810 DEBUG 19570 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : /users at position 9 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter'
2017-08-05 23:14:24.810 DEBUG 19570 --- [nio-8080-exec-3] o.s.s.w.session.SessionManagementFilter : Requested session ID 82C8AE1B7613B93D9F52F5A09CA5D114 is invalid.
2017-08-05 23:14:24.810 DEBUG 19570 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : /users at position 10 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2017-08-05 23:14:24.810 DEBUG 19570 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : /users at position 11 of 11 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2017-08-05 23:14:24.811 DEBUG 19570 --- [nio-8080-exec-3] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'GET /users' doesn't match 'POST /logout
2017-08-05 23:14:24.811 DEBUG 19570 --- [nio-8080-exec-3] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/users'; against '/resources/**'
2017-08-05 23:14:24.811 DEBUG 19570 --- [nio-8080-exec-3] o.s.s.w.a.i.FilterSecurityInterceptor : Secure object: FilterInvocation: URL: /users; Attributes: [authenticated]
2017-08-05 23:14:24.814 DEBUG 19570 --- [nio-8080-exec-3] o.s.b.a.audit.listener.AuditListener : AuditEvent [timestamp=Sat Aug 05 23:14:24 CEST 2017, principal=<unknown>, type=AUTHENTICATION_FAILURE, data={type=org.springframework.security.authentication.AuthenticationCredentialsNotFoundException, message=An Authentication object was not found in the SecurityContext}]
2017-08-05 23:14:24.817 DEBUG 19570 --- [nio-8080-exec-3] o.s.s.w.a.ExceptionTranslationFilter : Authentication exception occurred; redirecting to authentication entry point
And as you can see in the second log, it did not go through OAuth2AuthenticationProcessingFilter.
And here is my security configuration:
public class SecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/resources/**").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.permitAll()
.and()
.logout()
.permitAll()
.and().anonymous().disable();
}
}
Does anybody know what might be the reason?
Thanks!
UPDATE 1
Here is my configuration:
https://gist.github.com/osgafarov/ef432de739f0e8dd2eb595c0c75aff1d
Here is how I call the endpoint:
curl -H "Authorization: bearer eaee916e-fdf1-4e80-808e-cfd9b2944539" localhost:8080/users
UPDATE 2
I have figured out that if I set
security.oauth2.resource.filter-order = 3
then the above command works, however with this setting when I call /oauth/authorize, I receive the following error:
"Full authentication is required to access this resource. Unauthorized".
I had similar issues and resolved as follows, you need to configure resource server:
#Configuration
#EnableResourceServer
protected static class ResourceServer extends ResourceServerConfigurerAdapter {
#Autowired
private TokenStore tokenStore;
#Override
public void configure(HttpSecurity http) throws Exception {
http
.antMatcher("/api/**", "/secured_area/**")
// etc. add more matchers
.authorizeRequests()
.anyRequest().authenticated();
}
#Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
resources.tokenStore(tokenStore).resourceId("myapp");
}
}
Also as of spring boot 1.5.1+ i believe, security filter orders changed, you might want to overide the order:
#Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
public class SecurityConfigurerAdapter extends WebSecurityConfigurerAdapter { ..... }
Related
Front end : React 16.12.0 | Back end : Spring 2.2.4.RELEASE
I am currently facing an issue regarding preflight CORS request. From my understanding, each non simple request (eg. GET with Authorization token) will trigger a preflight CORS request that the server has to validate through a response with all allowed parameters the "real" request send after should respect.
The preflight is coming on server side as a OPTION request and should hit my cors filter in order to be validated.
Request send from front end:
export function greeting() {
const access_token = AuthTokenFromStore().oauthData.access_token;
const obj = {
method: 'GET',
headers: {
'Content-Type': 'application/x-www-form-urlencoded;charset=UTF-8',
'Accept': 'application/json',
'Authorization': 'Bearer ' + access_token
}
};
return (fetch('http://localhost:8080/api/v1/greeting', obj)
.then(res => res.json()));
}
Error message receive:
OPTIONS http://localhost:8080/api/v1/greeting 401
Access to fetch at 'http://localhost:8080/api/v1/greeting' from origin 'http://localhost:3000' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.
spring security config:
#Configuration
#EnableWebSecurity
#EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityServerConfiguration extends WebSecurityConfigurerAdapter {
#Override
protected void configure(final HttpSecurity http) throws Exception {
http
.cors() // <-- fetch the corsFilter bean
.and()
.csrf().disable()
.antMatcher("/**")
.authorizeRequests()
.antMatchers("/oauth/authorize**", "/login**", "/error**")
.permitAll()
.and()
.authorizeRequests()
.anyRequest().authenticated()
.and()
.formLogin().permitAll();
}
//...
}
cors filter config:
#Configuration
#Order(Ordered.HIGHEST_PRECEDENCE)
public class CORSConfig {
#Bean
public CorsFilter corsFilter() {
final CorsConfiguration configuration = new CorsConfiguration();
configuration.setAllowedOrigins(Arrays.asList("http://localhost:3000"));
configuration.setAllowCredentials(true);
configuration.setAllowedMethods(Arrays.asList("GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"));
configuration.setAllowedHeaders(Arrays.asList("origin", "x-authorization", "content-type", "accept"));
configuration.setMaxAge(3600L);
final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", configuration);
return new CorsFilter(source);
}
}
my log :
2020-03-19 17:00:24.993 DEBUG 9452 --- [nio-8080-exec-2] o.a.coyote.http11.Http11InputBuffer : Received [OPTIONS /api/v1/greeting HTTP/1.1
Host: localhost:8080
Connection: keep-alive
Access-Control-Request-Method: GET
Origin: http://localhost:3000
Sec-Fetch-Dest: empty
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36
Access-Control-Request-Headers: authorization
Accept: */*
Sec-Fetch-Site: same-site
Sec-Fetch-Mode: cors
Referer: http://localhost:3000/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
]
2020-03-19 17:00:24.994 DEBUG 9452 --- [nio-8080-exec-2] o.a.c.authenticator.AuthenticatorBase : Security checking request OPTIONS /api/v1/greeting
2020-03-19 17:00:24.994 DEBUG 9452 --- [nio-8080-exec-2] org.apache.catalina.realm.RealmBase : No applicable constraints defined
2020-03-19 17:00:24.994 DEBUG 9452 --- [nio-8080-exec-2] o.a.c.authenticator.AuthenticatorBase : Not subject to any constraint
2020-03-19 17:00:25.000 DEBUG 9452 --- [nio-8080-exec-2] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/oauth/token']
2020-03-19 17:00:25.000 DEBUG 9452 --- [nio-8080-exec-2] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/api/v1/greeting'; against '/oauth/token'
2020-03-19 17:00:25.000 DEBUG 9452 --- [nio-8080-exec-2] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/oauth/token_key']
2020-03-19 17:00:25.000 DEBUG 9452 --- [nio-8080-exec-2] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/api/v1/greeting'; against '/oauth/token_key'
2020-03-19 17:00:25.000 DEBUG 9452 --- [nio-8080-exec-2] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/oauth/check_token']
2020-03-19 17:00:25.000 DEBUG 9452 --- [nio-8080-exec-2] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/api/v1/greeting'; against '/oauth/check_token'
2020-03-19 17:00:25.000 DEBUG 9452 --- [nio-8080-exec-2] o.s.s.web.util.matcher.OrRequestMatcher : No matches found
2020-03-19 17:00:25.000 DEBUG 9452 --- [nio-8080-exec-2] o.s.security.web.FilterChainProxy : /api/v1/greeting at position 1 of 10 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2020-03-19 17:00:25.000 DEBUG 9452 --- [nio-8080-exec-2] o.s.security.web.FilterChainProxy : /api/v1/greeting at position 2 of 10 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2020-03-19 17:00:25.000 DEBUG 9452 --- [nio-8080-exec-2] o.s.security.web.FilterChainProxy : /api/v1/greeting at position 3 of 10 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2020-03-19 17:00:25.000 DEBUG 9452 --- [nio-8080-exec-2] o.s.security.web.FilterChainProxy : /api/v1/greeting at position 4 of 10 in additional filter chain; firing Filter: 'LogoutFilter'
2020-03-19 17:00:25.000 DEBUG 9452 --- [nio-8080-exec-2] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', GET]
2020-03-19 17:00:25.000 DEBUG 9452 --- [nio-8080-exec-2] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'OPTIONS /api/v1/greeting' doesn't match 'GET /logout'
2020-03-19 17:00:25.000 DEBUG 9452 --- [nio-8080-exec-2] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', POST]
2020-03-19 17:00:25.000 DEBUG 9452 --- [nio-8080-exec-2] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'OPTIONS /api/v1/greeting' doesn't match 'POST /logout'
2020-03-19 17:00:25.000 DEBUG 9452 --- [nio-8080-exec-2] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', PUT]
2020-03-19 17:00:25.000 DEBUG 9452 --- [nio-8080-exec-2] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'OPTIONS /api/v1/greeting' doesn't match 'PUT /logout'
2020-03-19 17:00:25.000 DEBUG 9452 --- [nio-8080-exec-2] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', DELETE]
2020-03-19 17:00:25.000 DEBUG 9452 --- [nio-8080-exec-2] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'OPTIONS /api/v1/greeting' doesn't match 'DELETE /logout'
2020-03-19 17:00:25.000 DEBUG 9452 --- [nio-8080-exec-2] o.s.s.web.util.matcher.OrRequestMatcher : No matches found
2020-03-19 17:00:25.000 DEBUG 9452 --- [nio-8080-exec-2] o.s.security.web.FilterChainProxy : /api/v1/greeting at position 5 of 10 in additional filter chain; firing Filter: 'OAuth2AuthenticationProcessingFilter'
2020-03-19 17:00:25.001 DEBUG 9452 --- [nio-8080-exec-2] o.s.s.o.p.a.BearerTokenExtractor : Token not found in headers. Trying request parameters.
2020-03-19 17:00:25.006 DEBUG 9452 --- [nio-8080-exec-2] org.apache.tomcat.util.http.Parameters : Set encoding to UTF-8
2020-03-19 17:00:25.006 DEBUG 9452 --- [nio-8080-exec-2] o.s.s.o.p.a.BearerTokenExtractor : Token not found in request parameters. Not an OAuth2 request.
2020-03-19 17:00:25.006 DEBUG 9452 --- [nio-8080-exec-2] p.a.OAuth2AuthenticationProcessingFilter : No token in request, will continue chain.
2020-03-19 17:00:25.006 DEBUG 9452 --- [nio-8080-exec-2] o.s.security.web.FilterChainProxy : /api/v1/greeting at position 6 of 10 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2020-03-19 17:00:25.006 DEBUG 9452 --- [nio-8080-exec-2] o.s.security.web.FilterChainProxy : /api/v1/greeting at position 7 of 10 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2020-03-19 17:00:25.006 DEBUG 9452 --- [nio-8080-exec-2] o.s.security.web.FilterChainProxy : /api/v1/greeting at position 8 of 10 in additional filter chain; firing Filter: 'SessionManagementFilter'
2020-03-19 17:00:25.006 DEBUG 9452 --- [nio-8080-exec-2] o.s.security.web.FilterChainProxy : /api/v1/greeting at position 9 of 10 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2020-03-19 17:00:25.006 DEBUG 9452 --- [nio-8080-exec-2] o.s.security.web.FilterChainProxy : /api/v1/greeting at position 10 of 10 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2020-03-19 17:00:25.006 DEBUG 9452 --- [nio-8080-exec-2] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/api/v1/greeting'; against '/api/**'
2020-03-19 17:00:25.006 DEBUG 9452 --- [nio-8080-exec-2] o.s.s.w.a.i.FilterSecurityInterceptor : Secure object: FilterInvocation: URL: /api/v1/greeting; Attributes: [#oauth2.throwOnError(authenticated)]
2020-03-19 17:00:25.010 DEBUG 9452 --- [nio-8080-exec-2] o.s.s.w.a.ExceptionTranslationFilter : Authentication exception occurred; redirecting to authentication entry point
org.springframework.security.authentication.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext
During debug, i can see http.cors() get my bean corsFilter properly but why it does not appear in the log ?
I tested a lot of solution (google reasearcg, tutorials, official spring docs, baeldung, stackoverflow... etc) no one worked for me. Also, the framework gives us a way to do it properly so i want to avoid adding filter manually to bypass OPTIONS request (it will be my last resort).
Could someone help me on this issue ? or point out what i did wrong ?
Thanks for your help !
Find out the issue, i have configured ResourceServerConfigurerAdapter at the same time as my WebSecurityConfigurerAdapter. It seems like ResourceServerConfigurerAdapter has a higher priority so all my custom configuration was not taken into account. The only purpose of WebSecurityConfigurerAdapter is to provide authentication process for OAuth2.
So i simplified the configure method to the bear minimum in my security config and move all other configuration to resourceServer config, and more especially the cors filter that was the solution to my original blocking point.
Discussed :
ResourceServerConfigurerAdapter vs WebSecurityConfigurerAdapter
I have created post endpoint with use of Spring Boot related to below code:
#PostMapping("/users/")
ResponseEntity<String> registerUser(#RequestBody JSONObject user) {
System.out.println("registerUser method triggered");
return userRegistrationResponseGenrator.generateResponse((userRegistrator.registerUser(user)));
}
When I however test the endpoint with code related to below
registrationPath = String.format("http://localhost:%s/users/", port);
#Test
public void registerUserTest() {
restTemplate.postForObject(registrationPath, validUserJSONObject, RequestEntity.class);
}
I face exception
org.springframework.web.client.HttpClientErrorException$Forbidden: 403 null
How can I resolve this issue?
Edit:
I have followed idea posted in one of comments and below are logs related to case
2018-11-26 19:43:35.110 INFO 5208 --- [o-auto-1-exec-1] o.a.c.c.C.[Tomcat].[localhost].[/] : Initializing Spring DispatcherServlet 'dispatcherServlet'
2018-11-26 19:43:35.110 INFO 5208 --- [o-auto-1-exec-1] o.s.web.servlet.DispatcherServlet : Initializing Servlet 'dispatcherServlet'
2018-11-26 19:43:35.152 INFO 5208 --- [o-auto-1-exec-1] o.s.web.servlet.DispatcherServlet : Completed initialization in 42 ms
2018-11-26 19:43:35.171 DEBUG 5208 --- [o-auto-1-exec-1] o.s.security.web.FilterChainProxy : /users at position 1 of 11 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2018-11-26 19:43:35.173 DEBUG 5208 --- [o-auto-1-exec-1] o.s.security.web.FilterChainProxy : /users at position 2 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2018-11-26 19:43:35.174 DEBUG 5208 --- [o-auto-1-exec-1] w.c.HttpSessionSecurityContextRepository : No HttpSession currently exists
2018-11-26 19:43:35.174 DEBUG 5208 --- [o-auto-1-exec-1] w.c.HttpSessionSecurityContextRepository : No SecurityContext was available from the HttpSession: null. A new one will be created.
2018-11-26 19:43:35.177 DEBUG 5208 --- [o-auto-1-exec-1] o.s.security.web.FilterChainProxy : /users at position 3 of 11 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2018-11-26 19:43:35.178 DEBUG 5208 --- [o-auto-1-exec-1] o.s.security.web.FilterChainProxy : /users at position 4 of 11 in additional filter chain; firing Filter: 'CsrfFilter'
2018-11-26 19:43:35.387 WARN 5208 --- [o-auto-1-exec-1] o.a.c.util.SessionIdGeneratorBase : Creation of SecureRandom instance for session ID generation using [SHA1PRNG] took [200] milliseconds.
2018-11-26 19:43:35.392 DEBUG 5208 --- [o-auto-1-exec-1] o.s.security.web.csrf.CsrfFilter : Invalid CSRF token found for http://localhost:25012/users
2018-11-26 19:43:35.392 DEBUG 5208 --- [o-auto-1-exec-1] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher#377d8162
2018-11-26 19:43:35.393 DEBUG 5208 --- [o-auto-1-exec-1] w.c.HttpSessionSecurityContextRepository : SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
2018-11-26 19:43:35.395 DEBUG 5208 --- [o-auto-1-exec-1] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
2018-11-26 19:43:35.401 DEBUG 5208 --- [o-auto-1-exec-1] o.s.security.web.FilterChainProxy : /error at position 1 of 11 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2018-11-26 19:43:35.401 DEBUG 5208 --- [o-auto-1-exec-1] o.s.security.web.FilterChainProxy : /error at position 2 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2018-11-26 19:43:35.402 DEBUG 5208 --- [o-auto-1-exec-1] w.c.HttpSessionSecurityContextRepository : HttpSession returned null object for SPRING_SECURITY_CONTEXT
2018-11-26 19:43:35.402 DEBUG 5208 --- [o-auto-1-exec-1] w.c.HttpSessionSecurityContextRepository : No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade#161e14b7. A new one will be created.
2018-11-26 19:43:35.402 DEBUG 5208 --- [o-auto-1-exec-1] o.s.security.web.FilterChainProxy : /error at position 3 of 11 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2018-11-26 19:43:35.402 DEBUG 5208 --- [o-auto-1-exec-1] o.s.security.web.FilterChainProxy : /error at position 4 of 11 in additional filter chain; firing Filter: 'CsrfFilter'
2018-11-26 19:43:35.402 DEBUG 5208 --- [o-auto-1-exec-1] o.s.security.web.FilterChainProxy : /error at position 5 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
2018-11-26 19:43:35.403 DEBUG 5208 --- [o-auto-1-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/error'; against '/logout'
2018-11-26 19:43:35.403 DEBUG 5208 --- [o-auto-1-exec-1] o.s.security.web.FilterChainProxy : /error at position 6 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2018-11-26 19:43:35.403 DEBUG 5208 --- [o-auto-1-exec-1] o.s.s.w.s.HttpSessionRequestCache : saved request doesn't match
2018-11-26 19:43:35.403 DEBUG 5208 --- [o-auto-1-exec-1] o.s.security.web.FilterChainProxy : /error at position 7 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2018-11-26 19:43:35.405 DEBUG 5208 --- [o-auto-1-exec-1] o.s.security.web.FilterChainProxy : /error at position 8 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2018-11-26 19:43:35.408 DEBUG 5208 --- [o-auto-1-exec-1] o.s.s.w.a.AnonymousAuthenticationFilter : Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken#9de06e39: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#957e: RemoteIpAddress: 127.0.0.1; SessionId: CF6283DA974F144F52398E23C94462E1; Granted Authorities: ROLE_ANONYMOUS'
2018-11-26 19:43:35.408 DEBUG 5208 --- [o-auto-1-exec-1] o.s.security.web.FilterChainProxy : /error at position 9 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter'
2018-11-26 19:43:35.408 DEBUG 5208 --- [o-auto-1-exec-1] o.s.security.web.FilterChainProxy : /error at position 10 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2018-11-26 19:43:35.408 DEBUG 5208 --- [o-auto-1-exec-1] o.s.security.web.FilterChainProxy : /error at position 11 of 11 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2018-11-26 19:43:35.409 DEBUG 5208 --- [o-auto-1-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/error'; against '/'
2018-11-26 19:43:35.410 DEBUG 5208 --- [o-auto-1-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/error'; against '/users'
2018-11-26 19:43:35.410 DEBUG 5208 --- [o-auto-1-exec-1] o.s.s.w.a.i.FilterSecurityInterceptor : Public object - authentication not attempted
2018-11-26 19:43:35.411 DEBUG 5208 --- [o-auto-1-exec-1] o.s.security.web.FilterChainProxy : /error reached end of additional filter chain; proceeding with original chain
2018-11-26 19:43:35.481 DEBUG 5208 --- [o-auto-1-exec-1] w.c.HttpSessionSecurityContextRepository : SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
2018-11-26 19:43:35.490 DEBUG 5208 --- [o-auto-1-exec-1] o.s.s.w.a.ExceptionTranslationFilter : Chain processed normally
2018-11-26 19:43:35.490 DEBUG 5208 --- [o-auto-1-exec-1] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
2018-11-26 19:43:35.527 INFO 5208 --- [ Thread-2] o.s.s.concurrent.ThreadPoolTaskExecutor : Shutting down ExecutorService 'applicationTaskExecutor'
2018-11-26 19:43:35.541 INFO 5208 --- [ Thread-2] j.LocalContainerEntityManagerFactoryBean : Closing JPA EntityManagerFactory for persistence unit 'default'
2018-11-26 19:43:35.547 INFO 5208 --- [ Thread-2] com.zaxxer.hikari.HikariDataSource : HikariPool-1 - Shutdown initiated...
2018-11-26 19:43:35.583 INFO 5208 --- [ Thread-2] com.zaxxer.hikari.HikariDataSource : HikariPool-1 - Shutdown completed.
If you have Spring Security on your classpath, it shuts down all resources with default user by default. In order to access any resource no matter what HTTP verb you are using - you have to authenticate. The exception occurs because you are not providing the required credentials. You have several options for fixing this exception.
First and easiest, remove Spring Security from your project.
If you want to access your resources, while preserving the ability to secure certain resources, you need to omit default security established for these resources by creating a bean, which extends org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter. Then, override its protected void configure(HttpSecurity http) throws Exception method.
E.g.
http.authorizeRequests()
.antMatchers("/your_path_1/**").permitAll()
.antMatchers("/your_path_2/example").permitAll()
// Disallow everything else..
.anyRequest().authenticated();
If you don't want to do that - you can just use an auto-generated password for the user "user" in order to access secured endpoint for the lifetime of one session, then you have to re-login. It gets printed in the logs when you start up your application.
Note:
For further reference, check out Spring Boot Security Reference.
I am trying to set up an angular 6 application that talks to a local spring boot REST application.
I have finally been able to login, and use GET requests, which seem to use the correct cookies. There are 2 cookies, a JSESSION cookie, and a XSRF cookie. The issue is I am getting a 403 response from any POST request. I am pretty confident that it is more of an issue with my Spring set up.
Spring Security config:
#Configuration
public class CORSConfig implements WebMvcConfigurer {
#Override
public void addCorsMappings(CorsRegistry registry) {
registry.addMapping("/**")
.allowedOrigins("http://localhost:4200")
.allowCredentials(true)
.allowedHeaders("*")
.allowedMethods("GET", "POST", "*")
.exposedHeaders("Set-Cookie","Authorization");
}
And
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.cors()
.and()
.httpBasic()
.and()
.authorizeRequests()
.antMatchers("/", "/main", "/user", "/runtime.js","/polyfills.js",
"/main.js", "/styles.js", "/vendor.js").permitAll()
.anyRequest().authenticated()
.and()
.csrf()
.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
.and().sessionManagement().maximumSessions(1).and()
.sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED);
}
Please note the antMatchers besides "/user" aren't actually being used in this set up. Those files are being served locally using ng serve.
My angular set up:
#Injectable()
export class AuthenticationInterceptor implements HttpInterceptor{
intercept(req: HttpRequest<any>, next: HttpHandler):
Observable<HttpEvent<any>>
{
const xhr = req.clone({
headers: req.headers.set('X-Requested-With', 'XMLHttpRequest'),
withCredentials: true
});
return next.handle(xhr);
}
This call will work now:
getExercise(id:Number): Observable<Exercise>
{
return this.http.get<Exercise>(environment.baseUrl + '/api/exercise/' + id);
}
But this one, a POST, will not.
saveExercise(exercise: Exercise): Observable<Exercise>
{
return this.http.post<Exercise>(environment.baseUrl +
'/newExercise',exercise);
}
Spring Security logs for the GET:
DEBUG 18776 --- [nio-8080-exec-1] o.s.b.w.s.f.OrderedRequestContextFilter : Bound request context to thread: org.apache.catalina.connector.RequestFacade#29dbd699
DEBUG 18776 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : /api/exercise/2 at position 1 of 14 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
DEBUG 18776 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : /api/exercise/2 at position 2 of 14 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
DEBUG 18776 --- [nio-8080-exec-1] w.c.HttpSessionSecurityContextRepository : No HttpSession currently exists
DEBUG 18776 --- [nio-8080-exec-1] w.c.HttpSessionSecurityContextRepository : No SecurityContext was available from the HttpSession: null. A new one will be created.
DEBUG 18776 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : /api/exercise/2 at position 3 of 14 in additional filter chain; firing Filter: 'HeaderWriterFilter'
DEBUG 18776 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : /api/exercise/2 at position 4 of 14 in additional filter chain; firing Filter: 'CorsFilter'
DEBUG 18776 --- [nio-8080-exec-1] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher#2de4577a
DEBUG 18776 --- [nio-8080-exec-1] w.c.HttpSessionSecurityContextRepository : SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
DEBUG 18776 --- [nio-8080-exec-1] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
DEBUG 18776 --- [nio-8080-exec-1] o.s.b.w.s.f.OrderedRequestContextFilter : Cleared thread-bound request context: org.apache.catalina.connector.RequestFacade#29dbd699
DEBUG 18776 --- [nio-8080-exec-4] o.s.b.w.s.f.OrderedRequestContextFilter : Bound request context to thread: org.apache.catalina.connector.RequestFacade#29dbd699
DEBUG 18776 --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy : /api/exercise/2 at position 1 of 14 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
DEBUG 18776 --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy : /api/exercise/2 at position 2 of 14 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
DEBUG 18776 --- [nio-8080-exec-4] w.c.HttpSessionSecurityContextRepository : Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'org.springframework.security.core.context.SecurityContextImpl#84a2a85a: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken#84a2a85a: Principal: com.op.movement.model.ApplicationUserDetails#7b5de4fa; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Not granted any authorities'
DEBUG 18776 --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy : /api/exercise/2 at position 3 of 14 in additional filter chain; firing Filter: 'HeaderWriterFilter'
DEBUG 18776 --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy : /api/exercise/2 at position 4 of 14 in additional filter chain; firing Filter: 'CorsFilter'
DEBUG 18776 --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy : /api/exercise/2 at position 5 of 14 in additional filter chain; firing Filter: 'CsrfFilter'
DEBUG 18776 --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy : /api/exercise/2 at position 6 of 14 in additional filter chain; firing Filter: 'LogoutFilter'
DEBUG 18776 --- [nio-8080-exec-4] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'GET /api/exercise/2' doesn't match 'POST /logout
DEBUG 18776 --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy : /api/exercise/2 at position 7 of 14 in additional filter chain; firing Filter: 'ConcurrentSessionFilter'
DEBUG 18776 --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy : /api/exercise/2 at position 8 of 14 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
DEBUG 18776 --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy : /api/exercise/2 at position 9 of 14 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
DEBUG 18776 --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy : /api/exercise/2 at position 10 of 14 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
DEBUG 18776 --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy : /api/exercise/2 at position 11 of 14 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
DEBUG 18776 --- [nio-8080-exec-4] o.s.s.w.a.AnonymousAuthenticationFilter : SecurityContextHolder not populated with anonymous token, as it already contained: 'org.springframework.security.authentication.UsernamePasswordAuthenticationToken#84a2a85a: Principal: com.op.movement.model.ApplicationUserDetails#7b5de4fa; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Not granted any authorities'
DEBUG 18776 --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy : /api/exercise/2 at position 12 of 14 in additional filter chain; firing Filter: 'SessionManagementFilter'
DEBUG 18776 --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy : /api/exercise/2 at position 13 of 14 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
DEBUG 18776 --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy : /api/exercise/2 at position 14 of 14 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
DEBUG 18776 --- [nio-8080-exec-4] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/api/exercise/2'; against '/'
DEBUG 18776 --- [nio-8080-exec-4] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/api/exercise/2'; against '/main'
DEBUG 18776 --- [nio-8080-exec-4] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/api/exercise/2'; against '/user'
DEBUG 18776 --- [nio-8080-exec-4] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/api/exercise/2'; against '/runtime.js'
DEBUG 18776 --- [nio-8080-exec-4] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/api/exercise/2'; against '/polyfills.js'
DEBUG 18776 --- [nio-8080-exec-4] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/api/exercise/2'; against '/main.js'
DEBUG 18776 --- [nio-8080-exec-4] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/api/exercise/2'; against '/styles.js'
DEBUG 18776 --- [nio-8080-exec-4] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/api/exercise/2'; against '/vendor.js'
DEBUG 18776 --- [nio-8080-exec-4] o.s.s.w.a.i.FilterSecurityInterceptor : Secure object: FilterInvocation: URL: /api/exercise/2; Attributes: [authenticated]
DEBUG 18776 --- [nio-8080-exec-4] o.s.s.w.a.i.FilterSecurityInterceptor : Previously Authenticated: org.springframework.security.authentication.UsernamePasswordAuthenticationToken#84a2a85a: Principal: com.op.movement.model.ApplicationUserDetails#7b5de4fa; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Not granted any authorities
DEBUG 18776 --- [nio-8080-exec-4] o.s.s.access.vote.AffirmativeBased : Voter: org.springframework.security.web.access.expression.WebExpressionVoter#74ead523, returned: 1
DEBUG 18776 --- [nio-8080-exec-4] o.s.s.w.a.i.FilterSecurityInterceptor : Authorization successful
DEBUG 18776 --- [nio-8080-exec-4] o.s.s.w.a.i.FilterSecurityInterceptor : RunAsManager did not change Authentication object
DEBUG 18776 --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy : /api/exercise/2 reached end of additional filter chain; proceeding with original chain
Getting exercise by ID: 2
DEBUG 18776 --- [nio-8080-exec-4] org.hibernate.SQL : select exercise0_.id as id1_0_0_, exercise0_.instructions as instruct2_0_0_, exercise0_.name as name3_0_0_ from operation_movement.exercises exercise0_ where exercise0_.id=?
DEBUG 18776 --- [nio-8080-exec-4] org.hibernate.SQL : select goaltypes0_.exercise_id as exercise1_1_0_, goaltypes0_.goal_types_id as goal_typ2_1_0_, goaltype1_.id as id1_2_1_, goaltype1_.name as name2_2_1_ from operation_movement.exercises_goal_types goaltypes0_ inner join operation_movement.goaltypes goaltype1_ on goaltypes0_.goal_types_id=goaltype1_.id where goaltypes0_.exercise_id=?
DEBUG 18776 --- [nio-8080-exec-4] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher#2de4577a
DEBUG 18776 --- [nio-8080-exec-4] o.s.s.w.a.ExceptionTranslationFilter : Chain processed normally
DEBUG 18776 --- [nio-8080-exec-4] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
DEBUG 18776 --- [nio-8080-exec-4] o.s.b.w.s.f.OrderedRequestContextFilter : Cleared thread-bound request context: org.apache.catalina.connector.RequestFacade#29dbd699
Spring logs for the POST which returns a 403 response:
DEBUG 18776 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy : /newExercise at position 1 of 14 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
DEBUG 18776 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy : /newExercise at position 2 of 14 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
DEBUG 18776 --- [nio-8080-exec-7] w.c.HttpSessionSecurityContextRepository : Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'org.springframework.security.core.context.SecurityContextImpl#84a2a85a: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken#84a2a85a: Principal: com.op.movement.model.ApplicationUserDetails#7b5de4fa; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Not granted any authorities'
DEBUG 18776 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy : /newExercise at position 3 of 14 in additional filter chain; firing Filter: 'HeaderWriterFilter'
DEBUG 18776 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy : /newExercise at position 4 of 14 in additional filter chain; firing Filter: 'CorsFilter'
DEBUG 18776 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy : /newExercise at position 5 of 14 in additional filter chain; firing Filter: 'CsrfFilter'
DEBUG 18776 --- [nio-8080-exec-7] o.s.security.web.csrf.CsrfFilter : Invalid CSRF token found for http://localhost:8080/newExercise
DEBUG 18776 --- [nio-8080-exec-7] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher#2de4577a
DEBUG 18776 --- [nio-8080-exec-7] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
DEBUG 18776 --- [nio-8080-exec-7] o.s.b.w.s.f.OrderedRequestContextFilter : Cleared thread-bound request context: org.apache.catalina.connector.RequestFacade#29dbd699
DEBUG 18776 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy : /error at position 1 of 14 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
DEBUG 18776 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy : /error at position 2 of 14 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
DEBUG 18776 --- [nio-8080-exec-7] w.c.HttpSessionSecurityContextRepository : Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'org.springframework.security.core.context.SecurityContextImpl#84a2a85a: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken#84a2a85a: Principal: com.op.movement.model.ApplicationUserDetails#7b5de4fa; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Not granted any authorities'
DEBUG 18776 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy : /error at position 3 of 14 in additional filter chain; firing Filter: 'HeaderWriterFilter'
DEBUG 18776 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy : /error at position 4 of 14 in additional filter chain; firing Filter: 'CorsFilter'
DEBUG 18776 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy : /error at position 5 of 14 in additional filter chain; firing Filter: 'CsrfFilter'
DEBUG 18776 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy : /error at position 6 of 14 in additional filter chain; firing Filter: 'LogoutFilter'
DEBUG 18776 --- [nio-8080-exec-7] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/error'; against '/logout'
DEBUG 18776 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy : /error at position 7 of 14 in additional filter chain; firing Filter: 'ConcurrentSessionFilter'
DEBUG 18776 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy : /error at position 8 of 14 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
DEBUG 18776 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy : /error at position 9 of 14 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
DEBUG 18776 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy : /error at position 10 of 14 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
DEBUG 18776 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy : /error at position 11 of 14 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
DEBUG 18776 --- [nio-8080-exec-7] o.s.s.w.a.AnonymousAuthenticationFilter : SecurityContextHolder not populated with anonymous token, as it already contained: 'org.springframework.security.authentication.UsernamePasswordAuthenticationToken#84a2a85a: Principal: com.op.movement.model.ApplicationUserDetails#7b5de4fa; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Not granted any authorities'
DEBUG 18776 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy : /error at position 12 of 14 in additional filter chain; firing Filter: 'SessionManagementFilter'
DEBUG 18776 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy : /error at position 13 of 14 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
DEBUG 18776 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy : /error at position 14 of 14 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
DEBUG 18776 --- [nio-8080-exec-7] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/error'; against '/'
DEBUG 18776 --- [nio-8080-exec-7] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/error'; against '/main'
DEBUG 18776 --- [nio-8080-exec-7] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/error'; against '/user'
DEBUG 18776 --- [nio-8080-exec-7] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/error'; against '/runtime.js'
DEBUG 18776 --- [nio-8080-exec-7] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/error'; against '/polyfills.js'
DEBUG 18776 --- [nio-8080-exec-7] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/error'; against '/main.js'
DEBUG 18776 --- [nio-8080-exec-7] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/error'; against '/styles.js'
DEBUG 18776 --- [nio-8080-exec-7] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/error'; against '/vendor.js'
DEBUG 18776 --- [nio-8080-exec-7] o.s.s.w.a.i.FilterSecurityInterceptor : Secure object: FilterInvocation: URL: /error; Attributes: [authenticated]
DEBUG 18776 --- [nio-8080-exec-7] o.s.s.w.a.i.FilterSecurityInterceptor : Previously Authenticated: org.springframework.security.authentication.UsernamePasswordAuthenticationToken#84a2a85a: Principal: com.op.movement.model.ApplicationUserDetails#7b5de4fa; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Not granted any authorities
DEBUG 18776 --- [nio-8080-exec-7] o.s.s.access.vote.AffirmativeBased : Voter: org.springframework.security.web.access.expression.WebExpressionVoter#74ead523, returned: 1
DEBUG 18776 --- [nio-8080-exec-7] o.s.s.w.a.i.FilterSecurityInterceptor : Authorization successful
DEBUG 18776 --- [nio-8080-exec-7] o.s.s.w.a.i.FilterSecurityInterceptor : RunAsManager did not change Authentication object
DEBUG 18776 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy : /error reached end of additional filter chain; proceeding with original chain
DEBUG 18776 --- [nio-8080-exec-7] o.s.s.w.a.ExceptionTranslationFilter : Chain processed normally
DEBUG 18776 --- [nio-8080-exec-7] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
For any one having the same issue, doing
csrf().disable()
will fix this, though I have no idea why. It seems as spring CSRF and CORS clash in some way when using cookies...
If I had to guess, the below is not working as expected
.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
which is strange because it makes direct reference to Angular:
A CsrfTokenRepository that persists the CSRF token in a cookie named "XSRF-TOKEN" and
reads from the header "X-XSRF-TOKEN" following the conventions of AngularJS. When
using with AngularJS be sure to use withHttpOnlyFalse().
The above seems to be true - I see that the CSRF token is set and sent by the browser, but Spring is not accepting it as valid. (see logs above)
Invalid CSRF token found for http://localhost:8080/newExercise
Request Cookies
JSESSIONID 31AD5A7891F8BB83072BFC040AABBB35
XSRF-TOKEN 579db734-412c-4ce8-82a2-20aa097e47f
For now, disabling CSRF will work for development, but there is a real world use case for serving my angular app from a separate server, which is the ONLY server that should be able to make requests to my spring server. Hopefully the additional information can help someone, and I will try to post a real answer here if I ever find it.
Try to replace your .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()) with csrfTokenRepository and CsrfFilter:
.csrfTokenRepository(csrfTokenRepository()).and()
.addFilterAfter(csrfHeaderFilter(), CsrfFilter.class);
See full answer
#Override
protected void configure(HttpSecurity http) throws Exception {
http.httpBasic().and().authorizeRequests()
.antMatchers("/send-pin").permitAll()
.antMatchers("/check-pin").permitAll()
.antMatchers("/index.html", "/", "/login", "/someotherrurl")
.permitAll().anyRequest().authenticated().and().csrf()
.csrfTokenRepository(csrfTokenRepository()).and()
.addFilterAfter(csrfHeaderFilter(), CsrfFilter.class);
My goal is to secure REST API endpoint in Spring Boot app using #PreAuthorize(hasRole('ROLE_NEW')) annotation.
Role has to be extracted from JWT supplied by KeyCloak.
RestController is below. The project is the same as SpringBoot REST Service Protected Using Keycloak Authorization Services.
#RestController
public class ApplicationController {
#PreAuthorize(hasRole('ROLE_NEW'))
#RequestMapping(value = "/api/resourceannotated", method = RequestMethod.GET)
public String handleResourceAnnotated() {
return createResponse();
}
#RequestMapping(value = "/api/resourcea", method = RequestMethod.GET)
public String handleResourceA() {
return createResponse();
}
#RequestMapping(value = "/api/resourceb", method = RequestMethod.GET)
public String handleResourceB() {
return createResponse();
}
#RequestMapping(value = "/api/premium", method = RequestMethod.GET)
public String handlePremiumResource() {
return createResponse();
}
#RequestMapping(value = "/api/admin", method = RequestMethod.GET)
public String handleAdminResource() {
return createResponse();
}
private String createResponse() {
return "Access Granted";
}
User test with role NEW was added to KeyCloak and I expected requests sent with JWTs to /api/resourceannotated endpoint to be authorized only for users with role NEW which will be extracted from JWT.
The motivation is saving request to KeyCloak which enforces access control to
/api/resourcea, /api/resourceb, /api/premium, /api/admin endpoints using policy enforcers.
How to do it correctly?
Tried Using JWT's with Spring Security's #PreAuthorize annotation for method specific security and USE KEYCLOAK WITH YOUR SPRING BOOT 2 APPLICATION without success. I get the below error:
{
"timestamp": "2018-08-30T14:37:39.409+0000",
"status": 401,
"error": "Unauthorized",
"message": "Unauthorized",
"path": "/api/resourceannotated" }
When run in debug mode 2 messages are printed:
2018-08-30 17:55:47.586 DEBUG 31006 --- [nio-8180-exec-3]
o.s.b.w.s.f.OrderedRequestContextFilter : Bound request context to
thread: org.apache.catalina.connector.RequestFacade#62b92856
2018-08-30 17:55:47.592 DEBUG 31006 --- [nio-8180-exec-3]
o.s.b.w.s.f.OrderedRequestContextFilter : Cleared thread-bound
request context: org.apache.catalina.connector.RequestFacade#62b92856
Enabled debug logging for org.springframework.security
and getting the below errors:
DEBUG 30677 --- [ main] s.s.c.a.w.c.WebSecurityConfigurerAdapter : Using default configure(HttpSecurity). If subclassed this will potentially override subclass configure(HttpSecurity).
DEBUG 30677 --- [ main] edFilterInvocationSecurityMetadataSource : Adding web access control expression 'authenticated', for org.springframework.security.web.util.matcher.AnyRequestMatcher#1
DEBUG 30677 --- [ main] o.s.s.w.a.i.FilterSecurityInterceptor : Validated configuration attributes
DEBUG 30677 --- [ main] o.s.s.w.a.i.FilterSecurityInterceptor : Validated configuration attributes
INFO 30677 --- [ main] o.s.s.web.DefaultSecurityFilterChain : Creating filter chain: org.springframework.security.web.util.matcher.AnyRequestMatcher#1, [org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter#31c2affc, org.springframework.security.web.context.SecurityContextPersistenceFilter#f72203, org.springframework.security.web.header.HeaderWriterFilter#2d2acd89, org.springframework.security.web.csrf.CsrfFilter#6e1d4137, org.springframework.security.web.authentication.logout.LogoutFilter#149f5761, org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter#1237e0be, org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter#2ab2710, org.springframework.security.web.authentication.www.BasicAuthenticationFilter#6441c486, org.springframework.security.web.savedrequest.RequestCacheAwareFilter#540dbda9, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter#27b000f7, org.springframework.security.web.authentication.AnonymousAuthenticationFilter#1dc2de84, org.springframework.security.web.session.SessionManagementFilter#1e6dad8, org.springframework.security.web.access.ExceptionTranslationFilter#2d5f7182, org.springframework.security.web.access.intercept.FilterSecurityInterceptor#58a4a74d]
INFO 30677 --- [ main] o.s.j.e.a.AnnotationMBeanExporter : Registering beans for JMX exposure on startup
INFO 30677 --- [ main] o.s.b.w.embedded.tomcat.TomcatWebServer : Tomcat started on port(s): 8180 (http) with context path ''
INFO 30677 --- [ main] o.k.quickstart.springboot.MyApplication : Started MyApplication in 14.439 seconds (JVM running for 17.843)
INFO 30677 --- [] o.k.a.authorization.PolicyEnforcer : Paths provided in configuration.
INFO 30677 --- [] o.a.c.c.C.[Tomcat].[localhost].[/] : Initializing Spring FrameworkServlet 'dispatcherServlet'
INFO 30677 --- [] o.s.web.servlet.DispatcherServlet : FrameworkServlet 'dispatcherServlet': initialization started
INFO 30677 --- [] o.s.web.servlet.DispatcherServlet : FrameworkServlet 'dispatcherServlet': initialization completed in 73 ms
DEBUG 30677 --- [] o.s.security.web.FilterChainProxy : /api/resourceannotated at position 1 of 14 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
DEBUG 30677 --- [] o.s.security.web.FilterChainProxy : /api/resourceannotated at position 2 of 14 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
DEBUG 30677 --- [] w.c.HttpSessionSecurityContextRepository : No HttpSession currently exists
DEBUG 30677 --- [] w.c.HttpSessionSecurityContextRepository : No SecurityContext was available from the HttpSession: null. A new one will be created.
DEBUG 30677 --- [] o.s.security.web.FilterChainProxy : /api/resourceannotated at position 3 of 14 in additional filter chain; firing Filter: 'HeaderWriterFilter'
DEBUG 30677 --- [] o.s.security.web.FilterChainProxy : /api/resourceannotated at position 4 of 14 in additional filter chain; firing Filter: 'CsrfFilter'
DEBUG 30677 --- [] o.s.security.web.FilterChainProxy : /api/resourceannotated at position 5 of 14 in additional filter chain; firing Filter: 'LogoutFilter'
DEBUG 30677 --- [] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'GET /api/resourceannotated' doesn't match 'POST /logout
DEBUG 30677 --- [] o.s.security.web.FilterChainProxy : /api/resourceannotated at position 6 of 14 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
DEBUG 30677 --- [] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'GET /api/resourceannotated' doesn't match 'POST /login
DEBUG 30677 --- [] o.s.security.web.FilterChainProxy : /api/resourceannotated at position 7 of 14 in additional filter chain; firing Filter: 'DefaultLoginPageGeneratingFilter'
DEBUG 30677 --- [] o.s.security.web.FilterChainProxy : /api/resourceannotated at position 8 of 14 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
DEBUG 30677 --- [] o.s.security.web.FilterChainProxy : /api/resourceannotated at position 9 of 14 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
DEBUG 30677 --- [] o.s.security.web.FilterChainProxy : /api/resourceannotated at position 10 of 14 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
DEBUG 30677 --- [] o.s.security.web.FilterChainProxy : /api/resourceannotated at position 11 of 14 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
DEBUG 30677 --- [] o.s.s.w.a.AnonymousAuthenticationFilter : Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken#c551e2ad: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#1de6: RemoteIpAddress: 10.88.0.23; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
DEBUG 30677 --- [] o.s.security.web.FilterChainProxy : /api/resourceannotated at position 12 of 14 in additional filter chain; firing Filter: 'SessionManagementFilter'
DEBUG 30677 --- [] o.s.s.w.session.SessionManagementFilter : Requested session ID A64F605948A7B529457A226B238A5EEC is invalid.
DEBUG 30677 --- [] o.s.security.web.FilterChainProxy : /api/resourceannotated at position 13 of 14 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
DEBUG 30677 --- [] o.s.security.web.FilterChainProxy : /api/resourceannotated at position 14 of 14 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
DEBUG 30677 --- [] o.s.s.w.a.i.FilterSecurityInterceptor : Secure object: FilterInvocation: URL: /api/resourceannotated; Attributes: [authenticated]
DEBUG 30677 --- [] o.s.s.w.a.i.FilterSecurityInterceptor : Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken#c551e2ad: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#1de6: RemoteIpAddress: 10.88.0.23; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
DEBUG 30677 --- [] o.s.s.access.vote.AffirmativeBased : Voter: org.springframework.security.web.access.expression.WebExpressionVoter#14cd10fa, returned: -1
DEBUG 30677 --- [] o.s.s.w.a.ExceptionTranslationFilter : Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied
I have set up an Spring Boot application with Oauth2 authentication using this tutorial.
The Problem is that the logout is not working, users can still access restricted resources after calling logout.
Log output:
2016-09-06 14:27:14.220 DEBUG 2272 --- [o-28080-exec-10] o.s.security.web.FilterChainProxy : /logout at position 1 of 12 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2016-09-06 14:27:14.220 DEBUG 2272 --- [o-28080-exec-10] o.s.security.web.FilterChainProxy : /logout at position 1 of 12 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2016-09-06 14:27:14.220 DEBUG 2272 --- [o-28080-exec-10] o.s.security.web.FilterChainProxy : /logout at position 1 of 12 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2016-09-06 14:27:14.220 DEBUG 2272 --- [o-28080-exec-10] o.s.security.web.FilterChainProxy : /logout at position 1 of 12 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2016-09-06 14:27:14.220 DEBUG 2272 --- [o-28080-exec-10] o.s.security.web.FilterChainProxy : /logout at position 2 of 12 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2016-09-06 14:27:14.220 DEBUG 2272 --- [o-28080-exec-10] w.c.HttpSessionSecurityContextRepository : Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'org.springframework.security.core.context.SecurityContextImpl#269ad8d6: Authentication: org.springframework.security.oauth2.provider.OAuth2Authentication#269ad8d6: Principal: unknown; Credentials: [PROTECTED]; Authenticated: true; Details: remoteAddress=0:0:0:0:0:0:0:1, sessionId=<SESSION>, tokenType=bearertokenValue=<TOKEN>; Granted Authorities: ROLE_USER'
2016-09-06 14:27:14.220 DEBUG 2272 --- [o-28080-exec-10] o.s.security.web.FilterChainProxy : /logout at position 3 of 12 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2016-09-06 14:27:14.220 DEBUG 2272 --- [o-28080-exec-10] o.s.security.web.FilterChainProxy : /logout at position 4 of 12 in additional filter chain; firing Filter: 'CsrfFilter'
2016-09-06 14:27:14.220 DEBUG 2272 --- [o-28080-exec-10] o.s.security.web.FilterChainProxy : /logout at position 5 of 12 in additional filter chain; firing Filter: 'LogoutFilter'
2016-09-06 14:27:14.220 DEBUG 2272 --- [o-28080-exec-10] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/logout'; against '/logout'
2016-09-06 14:27:48.801 DEBUG 2272 --- [o-28080-exec-10] o.s.s.w.a.logout.LogoutFilter : Logging out user 'org.springframework.security.oauth2.provider.OAuth2Authentication#269ad8d6: Principal: unknown; Credentials: [PROTECTED]; Authenticated: true; Details: remoteAddress=0:0:0:0:0:0:0:1, sessionId=<SESSION>, tokenType=bearertokenValue=<TOKEN>; Granted Authorities: ROLE_USER' and transferring to logout destination
2016-09-06 14:28:06.314 DEBUG 2272 --- [o-28080-exec-10] o.s.s.w.a.l.SecurityContextLogoutHandler : Invalidating session: B5A170AE88346E034E446939A7F319A4
2016-09-06 14:28:09.198 DEBUG 2272 --- [o-28080-exec-10] .s.s.w.a.l.SimpleUrlLogoutSuccessHandler : Using default Url: /
2016-09-06 14:28:09.201 DEBUG 2272 --- [o-28080-exec-10] o.s.s.web.DefaultRedirectStrategy : Redirecting to '/'
2016-09-06 14:28:09.203 DEBUG 2272 --- [o-28080-exec-10] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher#764f1e9f
2016-09-06 14:28:09.205 DEBUG 2272 --- [o-28080-exec-10] w.c.HttpSessionSecurityContextRepository : SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
2016-09-06 14:29:52.667 DEBUG 2272 --- [o-28080-exec-10] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
2016-09-06 14:29:52.709 DEBUG 2272 --- [io-28080-exec-8] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/css/**']
2016-09-06 14:29:52.709 DEBUG 2272 --- [io-28080-exec-8] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/'; against '/css/**'
2016-09-06 14:29:52.709 DEBUG 2272 --- [io-28080-exec-8] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/js/**']
2016-09-06 14:29:52.709 DEBUG 2272 --- [io-28080-exec-8] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/'; against '/js/**'
2016-09-06 14:29:52.709 DEBUG 2272 --- [io-28080-exec-8] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/images/**']
2016-09-06 14:29:52.709 DEBUG 2272 --- [io-28080-exec-8] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/'; against '/images/**'
2016-09-06 14:29:52.709 DEBUG 2272 --- [io-28080-exec-8] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/webjars/**']
2016-09-06 14:29:52.709 DEBUG 2272 --- [io-28080-exec-8] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/'; against '/webjars/**'
2016-09-06 14:29:52.709 DEBUG 2272 --- [io-28080-exec-8] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/**/favicon.ico']
2016-09-06 14:29:52.709 DEBUG 2272 --- [io-28080-exec-8] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/'; against '/**/favicon.ico'
2016-09-06 14:29:52.710 DEBUG 2272 --- [io-28080-exec-8] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/error']
2016-09-06 14:29:52.710 DEBUG 2272 --- [io-28080-exec-8] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/'; against '/error'
2016-09-06 14:29:52.710 DEBUG 2272 --- [io-28080-exec-8] o.s.s.web.util.matcher.OrRequestMatcher : No matches found
2016-09-06 14:29:52.710 DEBUG 2272 --- [io-28080-exec-8] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/'; against '/assets/**'
2016-09-06 14:29:52.710 DEBUG 2272 --- [io-28080-exec-8] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/'; against '/webjars/**'
2016-09-06 14:29:52.710 DEBUG 2272 --- [io-28080-exec-8] o.s.security.web.FilterChainProxy : / at position 1 of 12 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2016-09-06 14:29:52.710 DEBUG 2272 --- [io-28080-exec-8] o.s.security.web.FilterChainProxy : / at position 2 of 12 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2016-09-06 14:29:52.710 DEBUG 2272 --- [io-28080-exec-8] w.c.HttpSessionSecurityContextRepository : No HttpSession currently exists
2016-09-06 14:29:52.711 DEBUG 2272 --- [io-28080-exec-8] w.c.HttpSessionSecurityContextRepository : No SecurityContext was available from the HttpSession: null. A new one will be created.
2016-09-06 14:29:52.712 DEBUG 2272 --- [io-28080-exec-8] o.s.security.web.FilterChainProxy : / at position 3 of 12 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2016-09-06 14:29:52.712 DEBUG 2272 --- [io-28080-exec-8] o.s.security.web.FilterChainProxy : / at position 4 of 12 in additional filter chain; firing Filter: 'CsrfFilter'
2016-09-06 14:29:52.712 DEBUG 2272 --- [io-28080-exec-8] o.s.security.web.FilterChainProxy : / at position 5 of 12 in additional filter chain; firing Filter: 'LogoutFilter'
2016-09-06 14:29:52.713 DEBUG 2272 --- [io-28080-exec-8] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'GET /' doesn't match 'POST /logout
2016-09-06 14:29:52.713 DEBUG 2272 --- [io-28080-exec-8] o.s.security.web.FilterChainProxy : / at position 6 of 12 in additional filter chain; firing Filter: 'OAuth2ClientAuthenticationProcessingFilter'
2016-09-06 14:29:52.713 DEBUG 2272 --- [io-28080-exec-8] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/'; against '/login'
2016-09-06 14:29:52.713 DEBUG 2272 --- [io-28080-exec-8] o.s.security.web.FilterChainProxy : / at position 7 of 12 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2016-09-06 14:29:52.713 DEBUG 2272 --- [io-28080-exec-8] o.s.security.web.FilterChainProxy : / at position 8 of 12 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2016-09-06 14:29:52.713 DEBUG 2272 --- [io-28080-exec-8] o.s.security.web.FilterChainProxy : / at position 9 of 12 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2016-09-06 14:29:52.713 DEBUG 2272 --- [io-28080-exec-8] o.s.s.w.a.AnonymousAuthenticationFilter : Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken#9055c2bc: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
2016-09-06 14:29:52.713 DEBUG 2272 --- [io-28080-exec-8] o.s.security.web.FilterChainProxy : / at position 10 of 12 in additional filter chain; firing Filter: 'SessionManagementFilter'
2016-09-06 14:29:52.713 DEBUG 2272 --- [io-28080-exec-8] o.s.s.w.session.SessionManagementFilter : Requested session ID B5A170AE88346E034E446939A7F319A4 is invalid.
2016-09-06 14:29:52.714 DEBUG 2272 --- [io-28080-exec-8] o.s.security.web.FilterChainProxy : / at position 11 of 12 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2016-09-06 14:29:52.714 DEBUG 2272 --- [io-28080-exec-8] o.s.security.web.FilterChainProxy : / at position 12 of 12 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2016-09-06 14:29:52.714 DEBUG 2272 --- [io-28080-exec-8] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'GET /' doesn't match 'POST /logout
2016-09-06 14:29:52.714 DEBUG 2272 --- [io-28080-exec-8] o.s.s.w.a.i.FilterSecurityInterceptor : Secure object: FilterInvocation: URL: /; Attributes: [permitAll]
2016-09-06 14:29:52.714 DEBUG 2272 --- [io-28080-exec-8] o.s.s.w.a.i.FilterSecurityInterceptor : Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken#9055c2bc: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
2016-09-06 14:29:52.715 DEBUG 2272 --- [io-28080-exec-8] o.s.s.access.vote.AffirmativeBased : Voter: org.springframework.security.web.access.expression.WebExpressionVoter#5f0b1dd7, returned: 1
2016-09-06 14:29:52.715 DEBUG 2272 --- [io-28080-exec-8] o.s.s.w.a.i.FilterSecurityInterceptor : Authorization successful
2016-09-06 14:29:52.716 DEBUG 2272 --- [io-28080-exec-8] o.s.s.w.a.i.FilterSecurityInterceptor : RunAsManager did not change Authentication object
2016-09-06 14:29:52.716 DEBUG 2272 --- [io-28080-exec-8] o.s.security.web.FilterChainProxy : / reached end of additional filter chain; proceeding with original chain
2016-09-06 14:29:52.772 DEBUG 2272 --- [io-28080-exec-8] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher#764f1e9f
2016-09-06 14:29:52.772 DEBUG 2272 --- [io-28080-exec-8] w.c.HttpSessionSecurityContextRepository : SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
2016-09-06 14:29:53.322 DEBUG 2272 --- [io-28080-exec-8] o.s.s.w.a.ExceptionTranslationFilter : Chain processed normally
2016-09-06 14:29:53.322 DEBUG 2272 --- [io-28080-exec-8] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
Config:
#Configuration
#EnableGlobalMethodSecurity(prePostEnabled = true)
#EnableWebSecurity
#EnableOAuth2Sso
public class WebSecurityConfig extends WebSecurityConfigurerAdapter
{
#Override
public void configure(WebSecurity web) throws Exception
{
web.ignoring().antMatchers("/assets/**", "/webjars/**");
}
#Override
protected void configure(HttpSecurity http) throws Exception
{
http.authorizeRequests().antMatchers("blacklist...**").hasRole("USER")
.and().authorizeRequests().antMatchers("/**").permitAll()
.and().anonymous()
.and().logout().logoutSuccessUrl("/").permitAll()
.and().csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
.and().headers().frameOptions().disable().contentTypeOptions().and().xssProtection()
.xssProtectionEnabled(true).and().cacheControl();
}
}
I am facing kind of the same issue, app not redirecting after logout. Been searching the web and nothing...
Meanwhile, had to implement a workaround with Js after delete logout call:
window.location.replace("/");
See my app code here:
https://github.com/chuucks/Spring-Boot-Web-OAUTH2