Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

spring security webSecurity.ignoring()

Tags:

spring-mvc

spring-rest

spring-security

I am using spring security via spring boot. I have two kinds of rest services.

public/** --> Every one can access and use these services

secure/** --> Only authenticated users can use.

@Slf4j
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

@Override
public void configure(WebSecurity webSecurity) throws Exception {
    webSecurity.ignoring().antMatchers("/public/**");
}

@Override
protected void configure(HttpSecurity http) throws Exception {

    http.addFilterBefore(requestHeaderAuthenticationFilter(authenticationManager()),
            BasicAuthenticationFilter.class)
            .authorizeRequests().antMatchers("/secure/**").fullyAuthenticated();
}

@Bean
public RequestHeaderAuthenticationFilter requestHeaderAuthenticationFilter(
        final AuthenticationManager authenticationManager) {

    RequestHeaderAuthenticationFilter filter = new RequestHeaderAuthenticationFilter();
    filter.setAuthenticationManager(authenticationManager);
    filter.setExceptionIfHeaderMissing(true);
    filter.setPrincipalRequestHeader("MY_HEADER");
    filter.setInvalidateSessionOnPrincipalChange(true);
    filter.setCheckForPrincipalChanges(false);
    filter.setContinueFilterChainOnUnsuccessfulAuthentication(false);
    return filter;
}

When i want to access a resource under public i got exception.

exception: "org.springframework.security.web.authentication.preauth.PreAuthenticatedCredentialsNotFoundException"

message: "MY_HEADER header not found in request."

Why does my filter activated under public resource while it is configured as ignored resource?

Thanks is advance

like image 214
user1470509 Avatar asked Oct 22 '15 13:10

user1470509

1 Answers

This is an issue in WebSecurity.ignoring() as discussed in Spring Security Github when using Beans as Filters.

You can work around this by removing the @Bean annotation in your Filter declaration.

// @Bean - Remove or Comment this
public RequestHeaderAuthenticationFilter requestHeaderAuthenticationFilter(
        final AuthenticationManager authenticationManager) {

    RequestHeaderAuthenticationFilter filter = new RequestHeaderAuthenticationFilter();
    filter.setAuthenticationManager(authenticationManager);
    filter.setExceptionIfHeaderMissing(true);
    filter.setPrincipalRequestHeader("MY_HEADER");
    filter.setInvalidateSessionOnPrincipalChange(true);
    filter.setCheckForPrincipalChanges(false);
    filter.setContinueFilterChainOnUnsuccessfulAuthentication(false);
    return filter;
}
like image 157
shazin Avatar answered Sep 28 '22 00:09

shazin
Sign in to Comment

Related questions

Adding headers to Spring controllers
Looking for an CMS that can be plugged into a Spring MVC Application [closed]
Spring MVC map multiple dynamic form elements with the same name
Invocation of init method failed; nested exception is java.lang.NoClassDefFoundError: org/hibernate/util/DTDEntityResolver
DAO on different application server
Why @ExceptionHandler(MethodArgumentNotValidException.class) is ignored in favour of @ExceptionHandler(Exception.class)
How to get the instances of the WebApplicationContext and DispatcherServlet in the spring-web-mvc at the runtime of an spring web application
How implements Spring Bootstrap and Aspect?
How to make Spring Joda-Time formatter work with nonstandard locales?
Passing JSON objects in a REST HTTP GET request using Spring MVC
Spring MVC returns jsp as text/plain content type
Spring Security JSP Tags <sec:authorize access="hasRole('')"> not working
No mapping found for HTTP request with URI [] in DispatcherServlet with name ' [duplicate]
Freemarker issues with Java 8
REST Service that can consume both JSON and Multipart Form
How to use @ControllerAdvice for ViewController's (registered using ViewControllerRegistry)
Handling MultipartException with Spring Boot and display error page
Could not parse multipart servlet request, nested exception is org.apache.commons.fileupload.FileUploadException
HTTP Status 400 - Required Integer parameter 'id' is not present
How to limit requests per USER in ServletAPI (Spring MVC)

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!