my springboot version:v3.0.2
I am using HttpSecurity and the error message Whitelabel Error Page appears
why?
WebSecurityConfig.java
protected void configure(HttpSecurity http) throws Exception {
http.authorizeHttpRequests((requests)->{
try {
requests .requestMatchers("/").hasAnyAuthority("USER","CREATOR","EDITOR","ADMIN") .requestMatchers("/new").hasAnyAuthority("ADMIN","CREATOR") .requestMatchers("/edit/**").hasAnyAuthority("ADMIN","CREATOR") .requestMatchers("/delete/**").hasAnyAuthority("ADMIN")
.requestMatchers("/h2-console/**").permitAll()
.requestMatchers("/resources/**").permitAll()
.anyRequest().authenticated()
.and()
.formLogin().permitAll()
.and()
.logout().permitAll()
.and()
.exceptionHandling().accessDeniedPage("/403");
} catch (Exception e) {
e.printStackTrace();
}
});
http.csrf().disable();
http.headers().frameOptions().sameOrigin();
}
application.properties
spring.h2.console.enabled=true
spring.h2.console.path=/h2-console
spring.datasource.url=jdbc:h2:mem:sm
spring.datasource.driverClassName=org.h2.Driver
spring.datasource.username=sa
spring.datasource.password=
spring.jpa.database-platform=org.hibernate.dialect.H2Dialect
spring.main.allow-bean-definition-overriding=true
spring.main.allow-circular-references=true
server.port=8082
h2-console login
h2-console Connect
Can't find a solution on google
Related
i am trying to add couple of filters in my request processing in spring boot security config.
Below is my code
#EnableWebSecurity
#Configuration
public class JwtSecurityConfiguration {
#Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http.authorizeHttpRequests(this::configureEndpoints)
return http.build();
}
private void configureEndpoints(AuthorizeHttpRequestsConfigurer<HttpSecurity>.AuthorizationManagerRequestMatcherRegistry authorizationManagerRequestMatcherRegistry){
authorizationManagerRequestMatcherRegistry.mvcMatchers("/permit")
.permitAll()
.mvcMatchers("/block")
.denyAll()
.and()
.mvcMatcher("/api")
.addFilterBefore(new Filter1(), SecurityContextHolderAwareRequestFilter.class)
// register TenantFilter in the chain after the SecurityContext is made available by the respective filter
.mvcMatcher("/api")
.addFilterAfter(new Filter2(), SecurityContextHolderAwareRequestFilter.class)
.authorizeHttpRequests()
.mvcMatchers("/api")
.authenticated()
.and();
}
}
It seems the authentication does not happen and filters are never hit.
If i try to access the authentication in my runtime code i get SecurityContextHolder.getContext().getAuthentication() as null.
Seems to some problem in the security configuration only.
I'm using springdoc-openapi-ui for API documentation
<dependency>
<groupId>org.springdoc</groupId>
<artifactId>springdoc-openapi-ui</artifactId>
<version>1.6.14</version>
</dependency>
And, following Spring Boot security config.
.
.
public static String[] SWAGGER_WHITELIST = {
"/api-docs",
"/swagger-ui.html",
"/swagger-resources/**",
"/webjars/**",
"/swagger.json"
};
#Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http.cors().disable();
http.csrf().disable();
http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
http
.authorizeHttpRequests()
.requestMatchers(SWAGGER_WHITELIST).permitAll()
.requestMatchers(AUTH_WHITELIST).permitAll()
.and()
.addFilterAt(new JWTAuthenticationFilter(userService, jwtService, authenticationProvider()), UsernamePasswordAuthenticationFilter.class)
// .addFilterAfter(new UserAuthorizationFilter(), JWTAuthenticationFilter.class)
.authorizeHttpRequests()
.anyRequest().authenticated();
return http.build();
}
.
.
Spring boot parent version: 3
When I try to access http://localhost:8080/swagger-ui.html I'm getting 403.
Anyone facing similar issue? What could be the issue?
I tried
Whitelisting the swagger URLs
Changing the swagger doc path from config
I'm getting
No luck in debugging as console doesn't show any exception
It just rejects requests without printing any log
Following changes fixed the issue for me
Changed from springdoc-openapi-ui:1.6.14 to springdoc-openapi-starter-webmvc-ui:2.0.2 as it supports spring boot v3.
Added following things to whitelist
public static String[] SWAGGER_WHITELIST = {
"/api-docs/**",
"/api-docs.yaml",
"/swagger-ui/**",
"/swagger-ui.html",
};
New .properties file (match with whitelist)
#Swagger
springdoc.swagger-ui.path=/swagger-ui.html
springdoc.api-docs.path=/api-docs
#Security config method
#Override
protected void configure(HttpSecurity http) throws Exception {
http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
http.httpBasic()
.and()
.authorizeRequests()
.antMatchers("/whitelist/**").permitAll()
.anyRequest().authenticated();
http.csrf().disable();
}
#application properties config server.ssl.enabled=true server.ssl.key-store=keystore.p12 server.ssl.key-store-password=password server.ssl.keyStoreType=PKCS12
Goal: secure all actuator endpoints, apart from info and health, but for health show the details when user is authenticated.
My pom has only spring-boot-starter-web, spring-boot-starter-security and spring-boot-starter-web (Spring boot version: 2.1.6.RELEASE) and the whole config is
#Configuration
public class ActuatorSecurity extends WebSecurityConfigurerAdapter {
#Override
protected void configure(HttpSecurity http) throws Exception {
http.requestMatcher(EndpointRequest.toAnyEndpoint().excluding("info", "health"))
.authorizeRequests()
.anyRequest().authenticated()
.and()
.httpBasic();
}
}
and application.yml
management:
endpoints:
web:
exposure:
include: "*"
endpoint:
health:
show-details: "when-authorized"
This secures all end points and gives unauthenticated access to info and health. But when health is accessed with credentials it does not return the details. It looks like the management.endpoint.health.show-details="when-authorized" is ignored in this case.
Anyone has an idea how to fix this?
Should work using
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.requestMatchers(EndpointRequest.toAnyEndpoint()
.excluding("info", "health")).authenticated()
.and().httpBasic();
}
or
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.requestMatchers(EndpointRequest.to("info", "health"))
.permitAll()
.anyRequest().authenticated()
.and().httpBasic();
}
How can I enable fallback to basic auth if Kerberos authentication fails (e.g. client is not on the domain)? With the configuration below no browser authentication window appears and the following exceptions are thrown:
org.springframework.security.authentication.BadCredentialsException: Kerberos validation not successful
org.ietf.jgss.GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
Relevant part of my WebSecurityConfigurerAdapter implementation:
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.exceptionHandling()
.authenticationEntryPoint(spnegoEntryPoint())
.and()
.authorizeRequests()
.anyRequest()
.authenticated()
.and()
.logout()
.permitAll()
.and()
.addFilterBefore(
spnegoAuthenticationProcessingFilter(),
BasicAuthenticationFilter.class);
}
#Bean
public SpnegoEntryPoint spnegoEntryPoint() {
return new SpnegoEntryPoint("/");
}
#Bean
public SpnegoAuthenticationProcessingFilter spnegoAuthenticationProcessingFilter() {
SpnegoAuthenticationProcessingFilter filter = new SpnegoAuthenticationProcessingFilter();
try {
filter.setAuthenticationManager(authenticationManagerBean());
} catch (Exception e) {
log.error("Failed to set AuthenticationManager on SpnegoAuthenticationProcessingFilter.", e);
}
return filter;
}