Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Spring Security with Spring Boot: Allowing unauthenticated user access on specific endpoints when using a filter

Tags:

rest

authentication

spring

spring-boot

spring-security

I'm struggling with the basics of Spring Security here.

What I wish to achieve

My system is only for REST API handling, there's a login endpoint POST on /user/sign_in and a few open endpoints - GET on /prompt/, /prompt/{id}, /story/, /story/{id}, rest everything is for authenticated users only.

I have a custom authentication filter which I've put before the BasicAuthenticationFilter. I'm sharing my WebSecurityConfigurerAdapter code here

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(securedEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private DemoAuthenticationProvider demoAuthenticationProvider;

    @Override
    protected void configure(HttpSecurity http) throws Exception {

        http.authorizeRequests()
                .antMatchers(HttpMethod.GET, "/version", "/story", "/prompt").permitAll()
                .antMatchers(HttpMethod.POST, "/user/sign_in").permitAll()
                .anyRequest().authenticated()
                .and()
                .addFilterBefore(new DemoAuthenticationFilter(), BasicAuthenticationFilter.class);
        http.csrf().disable();
    }

    @Override
    public void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.authenticationProvider(demoAuthenticationProvider);
    }
}

For the anonymous user for the open endpoints, I'm returning a null authentication token in the filter and I'm getting

403 Access Denied

Why should authentication token be required when I've mentioned to permit all and not just authenticated for those end points? And how do I go about implementing it correctly?

like image 904
AA_PV Avatar asked Dec 02 '16 08:12

AA_PV

2 Answers

My bad!

End-points of spring-boot = request mapping of controller + request mapping of method. The GETs I mentioned are mapped at /. On changing to

.antMatchers(HttpMethod.GET, "/version/", "/story/", "/prompt/").permitAll()
                .antMatchers(HttpMethod.POST, "/user/sign_in/").permitAll()

things are rolling.

like image 71
AA_PV Avatar answered Sep 30 '22 14:09

AA_PV

This works for mine :

 .and().authorizeRequests().antMatchers("/URL1/**", "/URL2/**").anonymous().anyRequest().authenticated();
like image 44
Pasha GR Avatar answered Sep 30 '22 14:09

Pasha GR
Sign in to Comment

Related questions

Using annotation @Sql, is it possible to execute scripts in Class level before Method level?
spring @Scheduled with cron does not resolve property
@cacheput is not updating the existing cache
How to override a field value injected by @Value in Spring?
How to monitor a service bean using @timed annotation?
Spring service and repository layer convention
spring jdbctemplate get byte array
How to pass date(dd/MM/yyyy HH:mm) as a parameter in REST API
How to access spring boot properties from freemarker template
How to observe the Application Context at runtime (while debugging)
How to handle ClientAbortException in Spring-MVC?
@EnableIntegration annotation purpose
Spring Boot - how to serve one static html file for multiple routes in specified root
Spring Cache Evict does not work
ehcache with Spring. google code xsd file not found
Spring Mongodb pagination of nested collection field
Setting up bonsai-elasticsearch in Jhipster - Heroku
Spring REST Controller not mapped
SQL Error 17268 : Year out of range (Java/Spring)
Using two datasources in Spring Boot

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!