Menu
I am using stateless spring security,but in case of signup i want to disable spring security.I disabled using
antMatchers("/api/v1/signup").permitAll(). but it is not working,i am getting error below:
message=An Authentication object was not found in the SecurityContext, type=org.springframework.security.authentication.AuthenticationCredentialsNotFoundException I think this means spring security filters are working
My url's order always will be "/api/v1"
My spring config is
@Override protected void configure(HttpSecurity http) throws Exception { http. csrf().disable(). sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS). and(). authorizeRequests(). antMatchers("/api/v1/signup").permitAll(). anyRequest().authenticated(). and(). anonymous().disable(); http.addFilterBefore(new AuthenticationFilter(authenticationManager()), BasicAuthenticationFilter.class); } My authentication filter is
@Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { HttpServletRequest httpRequest = asHttp(request); HttpServletResponse httpResponse = asHttp(response); String username = httpRequest.getHeader("X-Auth-Username"); String password = httpRequest.getHeader("X-Auth-Password"); String token = httpRequest.getHeader("X-Auth-Token"); String resourcePath = new UrlPathHelper().getPathWithinApplication(httpRequest); try { if (postToAuthenticate(httpRequest, resourcePath)) { processUsernamePasswordAuthentication(httpResponse, username, password); return; } if(token != null){ processTokenAuthentication(token); } chain.doFilter(request, response); } catch (InternalAuthenticationServiceException internalAuthenticationServiceException) { SecurityContextHolder.clearContext(); logger.error("Internal authentication service exception", internalAuthenticationServiceException); httpResponse.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR); } catch (AuthenticationException authenticationException) { SecurityContextHolder.clearContext(); httpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED, authenticationException.getMessage()); } finally { } } private HttpServletRequest asHttp(ServletRequest request) { return (HttpServletRequest) request; } private HttpServletResponse asHttp(ServletResponse response) { return (HttpServletResponse) response; } private boolean postToAuthenticate(HttpServletRequest httpRequest, String resourcePath) { return Constant.AUTHENTICATE_URL.equalsIgnoreCase(resourcePath) && httpRequest.getMethod().equals("POST"); } private void processUsernamePasswordAuthentication(HttpServletResponse httpResponse,String username, String password) throws IOException { Authentication resultOfAuthentication = tryToAuthenticateWithUsernameAndPassword(username, password); SecurityContextHolder.getContext().setAuthentication(resultOfAuthentication); httpResponse.setStatus(HttpServletResponse.SC_OK); httpResponse.addHeader("Content-Type", "application/json"); httpResponse.addHeader("X-Auth-Token", resultOfAuthentication.getDetails().toString()); } private Authentication tryToAuthenticateWithUsernameAndPassword(String username,String password) { UsernamePasswordAuthenticationToken requestAuthentication = new UsernamePasswordAuthenticationToken(username, password); return tryToAuthenticate(requestAuthentication); } private void processTokenAuthentication(String token) { Authentication resultOfAuthentication = tryToAuthenticateWithToken(token); SecurityContextHolder.getContext().setAuthentication(resultOfAuthentication); } private Authentication tryToAuthenticateWithToken(String token) { PreAuthenticatedAuthenticationToken requestAuthentication = new PreAuthenticatedAuthenticationToken(token, null); return tryToAuthenticate(requestAuthentication); } private Authentication tryToAuthenticate(Authentication requestAuthentication) { Authentication responseAuthentication = authenticationManager.authenticate(requestAuthentication); if (responseAuthentication == null || !responseAuthentication.isAuthenticated()) { throw new InternalAuthenticationServiceException("Unable to authenticate Domain User for provided credentials"); } logger.debug("User successfully authenticated"); return responseAuthentication; } My controller is
@RestController public class UserController { @Autowired UserService userService; /** * to pass user info to service */ @RequestMapping(value = "api/v1/signup",method = RequestMethod.POST) public String saveUser(@RequestBody User user) { userService.saveUser(user); return "User registerted successfully"; } } I am totally new to spring,please help me how to do it ?
364
enabled=false and management. security. enabled=false should be set to disable the security.
You can enable or disable an actuator endpoint by setting the property management. endpoint. <id>. enabled to true or false (where id is the identifier for the endpoint).
When using permitAll it means every authenticated user, however you disabled anonymous access so that won't work.
What you want is to ignore certain URLs for this override the configure method that takes WebSecurity object and ignore the pattern.
@Override public void configure(WebSecurity web) throws Exception { web.ignoring().antMatchers("/api/v1/signup"); } And remove that line from the HttpSecurity part. This will tell Spring Security to ignore this URL and don't apply any filters to them.
130
I have a better way:
http .authorizeRequests() .antMatchers("/api/v1/signup/**").permitAll() .anyRequest().authenticated() If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
