Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

@PreAuthorize(permitAll) still requires authentication

Tags:

spring

spring-security

I have the following example method in my Repository (with @RepositoryRestResource annotation):

@Override
@PreAuthorize("permitAll")
@PostAuthorize("permitAll")
public Iterable<User> findAll();

But I'm still getting 401 Unauthorized, event when I add those permitAll annotation to whole Repository interface.

I got this as my WebSecurityConfigurerAdapter:

@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
@Configuration
class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(final HttpSecurity http) throws Exception {
        http.authorizeRequests().anyRequest().fullyAuthenticated().and().httpBasic().and().csrf().disable();
    }
}

I suppose this takes precedence over those method annotations, bu I don't know how to fix this.

like image 953
Pitel Avatar asked Nov 05 '15 10:11

Pitel

People also ask

What's the difference between @secured and @PreAuthorize in Spring Security?

The difference between @Secured and @PreAuthorize are as follows : The main difference between @Secured and @PreAuthorize is that @PreAuthorize can work with Spring EL. We can access methods and properties of SecurityExpressionRoot while using @PreAuthorize but not with @Secured.

How does @PreAuthorize work in spring boot?

Spring Security provides method level security using @PreAuthorize and @PostAuthorize annotations. This is expression-based access control. The @PreAuthorize can check for authorization before entering into method. The @PreAuthorize authorizes on the basis of role or the argument which is passed to the method.

How do you implement a method level security in spring boot?

Method-level security is implemented by placing the @PreAuthorize annotation on controller methods (actually one of a set of annotations available, but the most commonly used). This annotation contains a Spring Expression Language (SpEL) snippet that is assessed to determine if the request should be authenticated.

How do I enable global security?

The global method security functionality is disabled by default. To enable it, you use the @EnableGlobalMethodSecurity annotation over the configuration class of your application. You can apply authorization rules that the application checks before the call to a method.

1 Answers

Method security is applied after the web security filter.

Since you have anyRequest().fullyAuthenticated() in your configuration, your findAll method will never be hit. anyRequest().fullyAuthenticated() means that all attempts to access a web endpoint that does no have have some from of full user authentication on it will fail.

From the JavaDoc

Specify that URLs are allowed by users who have authenticated and were not "remembered".

You will need to add an additional path in your web security, some like.

protected void configure(final HttpSecurity http) throws Exception {
    http.authorizeRequests()
            .anyRequest().fullyAuthenticated()
            .antMatchers(HttpMethod.GET, '/somePath').permitAll()
         .and()
            .httpBasic()
         .and()
            .csrf().disable();
}
like image 128
Leon Avatar answered Oct 04 '22 01:10

Leon
Sign in to Comment

Related questions

ExceptionHandler shared by multiple controllers
How to use Spring SimpleThreadScope?
unit testing response status code in spring controller
Simplest way to make HTTP request in Spring
could not resolve property: User.Full_Name of: Harrods.Core.Entities.Teacher
Is there a JSR-330 equivalent of Spring's @Value annotation?
Lazy Initialisation with OpenEntityManagerInViewFilter?
Spring 3 setting ThreadFactory for ThreadPoolTaskExecutor
Memory consumption for java web app (300MB too high?)
Render multiple views within a single request
Batch Insertions with Hibernate & Spring
Spring STS can't find META-INF/spring.schemas
How to handle Spring Webservice connection error in the start up?
Exporting Spring components as OSGi services
JSF 2, Spring Security 3.x and Richfaces 4 redirect to login page on session time out for ajax requests
How to apply transactions best practice for read operations in Spring MVC using Hibernate?
Java web UI - where to start to build a modern web-site? [closed]
High Performance DefaultMessageListenerContainer config for thousands of topics
Should I put the ID of my entity in the URL or into the form as a hidden field?
JsonPath JUnit escape character for dots

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!