Today I upgraded my Webflux REST API demo application from springboot 2.7.x to version 3.0.0. On testing found for POST Calls with SpringSecurity I am getting 403 Forbidden with message An expected CSRF token cannot be found. I double checked my security config and don't find any problem.
#Bean
public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
return http
.csrf().disable()
.authorizeExchange()
.pathMatchers(HttpMethod.GET, "/actuator/**").permitAll()
.pathMatchers(HttpMethod.POST, "/api/v1/users", "/api/v1/users/**").hasRole(ReactiveConstant.SECURITY_ROLE_ADMIN) // Only admin can do POST
.pathMatchers(HttpMethod.GET, "/api/v1/users", "/api/v1/users/**").hasAnyRole(ReactiveConstant.SECURITY_ROLE_USER, ReactiveConstant.SECURITY_ROLE_ADMIN) // user can only do GET
.anyExchange().authenticated()
.and().formLogin()
.and().httpBasic()
.and().formLogin().disable()
.build();
}
This is working in SpringBoot 2.7.5 version. My build.gradle file,
plugins {
id 'org.springframework.boot' version '3.0.0'
id 'io.spring.dependency-management' version '1.1.0'
id 'java'
id 'groovy'
}
group = 'io.c12.bala'
version = '0.2.1'
sourceCompatibility = JavaVersion.VERSION_17
configurations {
compileOnly {
extendsFrom annotationProcessor
}
}
repositories {
mavenLocal()
mavenCentral()
}
dependencies {
implementation 'org.springframework.boot:spring-boot-starter-data-mongodb-reactive'
implementation 'org.springframework.boot:spring-boot-starter-webflux'
implementation 'org.springframework.boot:spring-boot-starter-actuator'
implementation 'org.springframework.boot:spring-boot-starter-validation'
implementation 'org.springframework.boot:spring-boot-starter-security'
// Springboot utils
implementation 'io.projectreactor:reactor-tools' // For Reactor debugging in IDE
compileOnly 'org.projectlombok:lombok'
developmentOnly 'org.springframework.boot:spring-boot-devtools'
annotationProcessor 'org.projectlombok:lombok'
implementation 'org.modelmapper:modelmapper:3.1.0'
implementation 'io.netty:netty-resolver-dns-native-macos:4.1.85.Final:osx-aarch_64' // For macos netty DNS issue.
implementation 'com.aventrix.jnanoid:jnanoid:2.0.0'
// Springboot testing with Spock test framework
testImplementation 'org.springframework.boot:spring-boot-starter-test'
testImplementation 'org.springframework.security:spring-security-test'
// Spock test framework
testImplementation 'org.spockframework:spock-core:2.3-groovy-4.0'
testImplementation 'org.spockframework:spock-spring:2.3-groovy-4.0'
// Reactor test framework
testImplementation 'io.projectreactor:reactor-test'
}
test {
useJUnitPlatform()
maxParallelForks = Runtime.runtime.availableProcessors()
}
I am not seeing any changes to CSRF in SpringSecurity documentation.
My POST Call,
curl --location --request POST 'http://localhost:8080/api/v1/users' \
--header 'Authorization: Basic am9objpIZWxsb1dvcmxkQDEyMw==' \
--header 'Content-Type: application/json' \
--data-raw '{
"firstName": "John",
"lastName": "Doe",
"emailId": "John.doe#example.com",
"userId": "j.doe"
}'
Response: 403 Forbidden
An expected CSRF token cannot be found
I experienced the same symptoms when migrating my webflux application to Spring Boot 3.0.0 today, which worked perfectly with 2.7.5. So I googled for "csrf-disabling no longer working" and found this and some few (!) other posts...
However it was an annotation change of Spring security 6, that caused the problem: #EnableWebFluxSecurity contained "#Configuration" in 5.x version (I checked) - but obviously does no longer and has to be added explicitly.
Thus the complete SecurityWebFilterChain bean was not found after migrating... Now the working code looks as follows:
#EnableWebFluxSecurity
#Configuration // <- this annotation was missing but worked with Spring Security 5.x
public class AccountWebSecurityConfig {
#Bean
public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http,
ReactiveAuthenticationManager authenticationManager,
ServerAccessDeniedHandler accessDeniedHandler,
ServerAuthenticationEntryPoint authenticationEntryPoint) {
http.csrf().disable()
.httpBasic(httpBasicSpec -> httpBasicSpec
.authenticationManager(authenticationManager)
// when moving next line to exceptionHandlingSpecs, get empty body 401 for authentication failures (e.g. Invalid Credentials)
.authenticationEntryPoint(authenticationEntryPoint)
)
.authorizeExchange()
//...
}
As your FilterChain - snippet does not show the annotations at your class, chances are, you may also missing the #Configuration..
In my case now everything works as before :-)
Related
I am using the new Spring for Graphql in my Spring Boot application. My problem is, that the server always responds 404 when making a POST request to the /graphql endpoint.
These are my gradle dependencies
implementation 'org.springframework.boot:spring-boot-starter-data-jpa'
implementation 'org.springframework.boot:spring-boot-starter-graphql'
implementation 'org.springframework.boot:spring-boot-starter-mail'
implementation 'org.springframework.boot:spring-boot-starter-security'
implementation 'org.springframework.boot:spring-boot-starter-validation'
implementation 'org.springframework.boot:spring-boot-starter-web'
implementation 'org.springframework.boot:spring-boot-starter-websocket'
implementation 'org.flywaydb:flyway-core'
compileOnly 'org.projectlombok:lombok'
runtimeOnly 'org.postgresql:postgresql'
annotationProcessor 'org.projectlombok:lombok'
I followed the steps in this tutorial to create the controllers (formerly known as resolvers, I actually changed all my old Graphql resolvers to the new #QueryMapping and #MutationMapping annotations)
This is the code for my StepController
#Slf4j
#Controller
#RequiredArgsConstructor
public class StepController {
private final StepService stepService;
private final TokenService tokenService;
#QueryMapping
public ArrayList<Step> getSteps(String templateId) {
return stepService.getSteps(templateId);
}
#MutationMapping
public Step createStep(StepInput input, DataFetchingEnvironment env) {
return stepService.createStep(input, tokenService.getUserId(env));
}
}
I am also using WebSecurity in my project, changed my deprecated WebSecurityConfigurerAdapter to the more modern way of doing this by creating a Bean inside a SecurityConfig.class
#Configuration
public class SecurityConfiguration {
#Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http.cors()
.configurationSource(request -> {
var cors = new CorsConfiguration();
cors.setAllowedOrigins(List.of("http://localhost:4200", "electron://altair"));
cors.setAllowedMethods(List.of("GET", "POST", "DELETE", "OPTIONS"));
cors.setAllowedHeaders(List.of("*"));
cors.setAllowCredentials(true);
return cors;
})
.and()
.csrf().disable()
.authorizeRequests()
.antMatchers(HttpMethod.POST, "/graphql").permitAll()
.antMatchers(HttpMethod.GET, "/stomp/**").permitAll()
.anyRequest().authenticated()
.and()
// this disables session creation on Spring Security
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
return http.build();
}
}
My GraphQl Schema is structured in resources/graphql in a folder structure, I had no problem with this before I switched to the new Spring Boot Graphql
UPDATE To be on the safe side: I deleted the whole folder structure and replaced it with one schema.graphqls file that has just the Login mutation and a query that is never used, just to avoid the Query needed compiler error
type Mutation {
login(email: String!, password: String!): Login!
}
type Login {
token: String
}
// unused, just to make the compiler happy
type Query {
getLogin: Login
}
application.properties
spring.banner.location=classpath:logo.txt
spring.main.banner-mode=console
spring.output.ansi.enabled=ALWAYS
spring.main.allow-bean-definition-overriding=true
spring.mail.host=mail.blablabla
spring.mail.port=587
spring.mail.username=no-reply#blablabla
spring.mail.password=blablalba
spring.mail.properties.mail.smtp.auth=true
spring.mail.properties.mail.smtp.starttls.enable=false
spring.profiles.include=prod,dev
spring.jpa.database-platform=org.hibernate.dialect.PostgreSQL95Dialect
spring.jpa.hibernate.ddl-auto=validate
spring.servlet.multipart.max-file-size=512KB
I hope I provided enough information as to how my project is set up. I would really appreciate any help that can solve this issue. I searched the whole evening yesterday, finally now posting this question here. I hope someone can help me. Thanks
Please add this property in application.properties file and try again.
spring.graphql.graphiql.enabled=true
There is a Spring Boot project that uses Spring Security. The authorization process goes through the session and upon successful authorization, the application stores information in a cookie. For /login and /logout, I made url access as permitAll, and painted the rest of the url as authenticated. When a user knocks on secure urls without authorization, it says that anonymousUser is running. When debugging, it is clear that if Spring Security does not receive a request from an authorized user, then it automatically substitutes anonymousUser. As a solution in the Spring Security Configuration, I disabled anonymous access in http.build (anonymous.disable()), but this way all my urls, including /login and /logout, fall under 403 Forbidden. What is the matter and how can the problem be solved?
#Configuration
#EnableWebSecurity
public class SecurityConfiguration {
public static final String SESSION_ATTRIBUTE = "JSESSIONID";
#Bean
public SessionRegistry sessionRegistry() {
return new SessionRegistryImpl();
}
#Bean
public AuthenticationManager authenticationManager(AuthenticationConfiguration authenticationConfiguration)
throws Exception {
return authenticationConfiguration.getAuthenticationManager();
}
#Bean
public WebSecurityCustomizer webSecurityCustomizer() {
return (web) -> web.ignoring()
.antMatchers("/v3/api-docs/**")
.antMatchers("configuration/**")
.antMatchers("/swagger*/**")
.antMatchers("/webjars/**")
.antMatchers("/swagger-ui/**");
}
#Bean
public CorsConfiguration corsConfiguration() {
CorsConfiguration corsConfiguration = new CorsConfiguration();
corsConfiguration.setAllowCredentials(true);
corsConfiguration.setAllowedMethods(List.of("GET", "POST", "PUT", "DELETE", "OPTIONS"));
corsConfiguration.setAllowedOriginPatterns(List.of("*:[*]"));
corsConfiguration.setAllowedHeaders(List.of("*"));
corsConfiguration.setExposedHeaders(List.of("*"));
corsConfiguration.setMaxAge(1000L);
return corsConfiguration;
}
#Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.cors().configurationSource(cors -> corsConfiguration()).and()
.csrf().disable()
.anonymous().disable()
.httpBasic().disable()
.logout().invalidateHttpSession(true).deleteCookies(SESSION_ATTRIBUTE)
.and()
.authorizeRequests()
.antMatchers("/api/authentication/login", "/api/authentication/logout").permitAll()
.antMatchers("/api/file/*", "/api/report/*", "/api/user/information/*").authenticated();
return http.build();
}
}
build.gradle:
dependencies {
implementation group: 'org.springframework.boot', name: 'spring-boot-starter-web', version: '2.7.2'
implementation group: 'org.springframework.boot', name: 'spring-boot-starter-jdbc', version: '2.7.2'
implementation group: 'org.springframework.boot', name: 'spring-boot-starter-security', version: '2.7.2'
implementation group: 'org.springframework.boot', name: 'spring-boot-starter-validation', version: '2.7.2'
implementation group: 'com.microsoft.sqlserver', name: 'mssql-jdbc', version: '9.4.1.jre16'
implementation group: 'org.json', name: 'json', version: '20220320'
implementation group: 'org.springdoc', name: 'springdoc-openapi-ui', version: '1.6.10'
implementation group: 'javax.xml.bind', name: 'jaxb-api', version: '2.3.1'
compileOnly 'org.projectlombok:lombok:1.18.24'
annotationProcessor 'org.projectlombok:lombok:1.18.24'
}
Hi I'm trying to add security to a Kotlin Spring Boot project with Java 15 I've started. I want to use Keycloak as Auth Server.
I don't have a frontend yet (REACT app), I'm building the REST API first.
My problem is when I try to hit a protected endpoint instead of having the Keycloak login page I think the Spring Security login page pops up because it says invalid credentials and the looks are a basic form instead of the style Keycloak has for login. I don't know what's missing on my config.
This is the SecurityConfig:
#Configuration
#EnableWebSecurity
#ComponentScan(basePackageClasses = [KeycloakSecurityComponents::class])
internal class SecurityConfig : KeycloakWebSecurityConfigurerAdapter() {
#Autowired
fun configureGlobal(auth: AuthenticationManagerBuilder) {
val keycloakAuthenticationProvider: KeycloakAuthenticationProvider =
keycloakAuthenticationProvider()
keycloakAuthenticationProvider.setGrantedAuthoritiesMapper(
SimpleAuthorityMapper()
)
auth.authenticationProvider(keycloakAuthenticationProvider)
}
#Bean
fun keycloakConfigResolver(): KeycloakSpringBootConfigResolver {
return KeycloakSpringBootConfigResolver()
}
#Bean
override fun sessionAuthenticationStrategy(): SessionAuthenticationStrategy {
return RegisterSessionAuthenticationStrategy(
SessionRegistryImpl()
)
}
override fun configure(http: HttpSecurity) {
super.configure(http)
http.authorizeRequests()
.antMatchers("/carts*")
.hasRole("user")
.anyRequest()
.permitAll()
}
}
Controller:
#RestController
#RequestMapping("/carts")
class CartController(private val cartService: CartService) {
#GetMapping("/{id}")
fun getCart(#PathVariable id: String): Cart? {
return cartService.findById(id)
}
}
application-yml:
keycloak:
auth-server-url: http://localhost:8081/auth
realm: TestRealm
resource: login-app
public-client: true
principal-attribute: preferred_username
build.gradle dependencies:
dependencies {
implementation("org.springframework.boot:spring-boot-starter-web")
implementation("org.springframework.boot:spring-boot-starter-data-mongodb")
implementation("org.springframework.boot:spring-boot-starter-security")
implementation("org.jetbrains.kotlin:kotlin-reflect")
implementation("org.jetbrains.kotlin:kotlin-stdlib-jdk8")
implementation("com.fasterxml.jackson.module:jackson-module-kotlin:2.12.+")
implementation("org.keycloak:keycloak-spring-boot-starter")
developmentOnly("org.springframework.boot:spring-boot-devtools")
annotationProcessor("org.springframework.boot:spring-boot-configuration-processor")
testImplementation("org.springframework.boot:spring-boot-starter-test")
testImplementation("org.springframework.security:spring-security-test")
testImplementation("io.mockk:mockk:1.10.6")
}
dependencyManagement {
imports {
mavenBom("org.keycloak.bom:keycloak-adapter-bom:12.0.4")
}
}
When I do a direct request I get a valid token so I'm assuming Keycloak is working (I'm running it on a docker container at port 8081).
curl --location --request POST 'http://localhost:8081/auth/realms/TestRealm/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=login-app' \
--data-urlencode 'username=user2' \
--data-urlencode 'password=user2' \
--data-urlencode 'grant_type=password'
A request to "localhost:8080/carts/605271fa9f2ad0418ca4858d" redirects to "http://localhost:8080/login" and this shows:
Instead what I'd expect to be similar to this (taken from another example):
Every guide I've seen they are redirected to the Keycloak login out of the box. I'm kind of lost here, any ideas?
Thanks!!
You have to disable the auto configuration for security
use this in your Main class
#EnableAutoConfiguration(exclude = { SecurityAutoConfiguration.class})
Lost the afternoon for not adding the package to my SecurityConfig (copied the example from somewhere else and probably overwrote the package definition) class so the component scan was skipping completely this config.
Nevertheless the way I made it work is requesting the token directly to the keycloak url and sending it with the header --header 'Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiA...'.
I guess the Keycloak login page is something I have to configure later on from the frontend directly since I'm not using Spring MVC
I'm implemention OAuth2 System with Spring Boot 2.1.4 and Spring Security OAuth2.
I want to separate All Components Client, ResourceServer, AuthorizationServer)
so i create 3 projects each git repository.
in Client, I requested protected URL.
and Spring Security redirected me to Authorization Server's /oauth/authorize, and i redirected to Authorization Server's login page.
i tried login, and success.
and i redirected to my Client and redirected again to AuthorizationServer's login page agian. (infinitely loop)
following is my 3 Components(Client, AuthorizationServer, ResourceServer)' Configuration.
Client
gradle
plugins {
id 'org.springframework.boot' version '2.1.4.RELEASE'
id 'java'
}
...
dependencies {
...
/** Spring Security **/
implementation 'org.springframework.boot:spring-boot-starter-security'
// https://mvnrepository.com/artifact/org.springframework.security.oauth.boot/spring-security-oauth2-autoconfigure
compile group: 'org.springframework.security.oauth.boot', name: 'spring-security-oauth2-autoconfigure', version: '2.1.4.RELEASE'
// https://mvnrepository.com/artifact/org.springframework.security/spring-security-oauth2-client
compile group: 'org.springframework.security', name: 'spring-security-oauth2-client', version: '5.1.5.RELEASE'
}
application.yml
...
spring:
security:
oauth2:
client:
provider:
teemo:
authorizationUri: http://localhost:8082/oauth/authorize
tokenUri: http://localhost:8082/oauth/token
userInfoUri: http://localhost:8081/me
registration:
teemo:
clientId: foo
clientSecret: bar
provider: teemo
authorizationGrantType: authorization_code
redirectUri: http://localhost:8080/oauth2/authorization/teemo
...
WebSecurityConfigurerAdapter config
#Configuration
#EnableOAuth2Client
public class WebSecurityConfigurerAdapterImpl extends WebSecurityConfigurerAdapter {
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.antMatchers("/", "/home", "/error", "/webjars/**", "/resources/**", "/login**").permitAll()
.anyRequest().authenticated()
.and().oauth2Login();
}
}
AuthorizationServer
gradle
plugins {
id 'org.springframework.boot' version '2.1.4.RELEASE'
id 'java'
}
...
dependencies {
...
/** Spring Security **/
implementation 'org.springframework.boot:spring-boot-starter-security'
// https://mvnrepository.com/artifact/org.springframework.security.oauth.boot/spring-security-oauth2-autoconfigure
compile group: 'org.springframework.security.oauth.boot', name: 'spring-security-oauth2-autoconfigure', version: '2.1.4.RELEASE'
...
}
application.yml
spring:
security:
user:
name: user
password: user
...
WebSecurityConfigurerAdapter config
#Configuration
public class WebSecurityConfigurerAdapterImpl extends WebSecurityConfigurerAdapter {
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.antMatchers("/oauth/authorize", "/oauth/token", "/login**").permitAll()
.and().formLogin().permitAll();
}
}
AuthorizationServerConfigurerAdapter config
#Component
#EnableAuthorizationServer
public class AuthorizationServerConfigurerAdapterImpl extends AuthorizationServerConfigurerAdapter {
private AuthenticationManager authenticationManager;
public AuthorizationServerConfigurerAdapterImpl(AuthenticationConfiguration authenticationConfiguration) throws Exception {
this.authenticationManager = authenticationConfiguration.getAuthenticationManager();
}
#Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory()
.withClient("foo")
.secret("bar")
//.authorities("USER")
.authorizedGrantTypes("authorization_code", "implicit", "refresh_token")
.autoApprove(true)
.redirectUris("http://localhost:8080/oauth2/authorization/teemo")
.scopes("read");
}
#Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.authenticationManager(authenticationManager);
}
#Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer)throws Exception {
oauthServer
.tokenKeyAccess("permitAll()")
.checkTokenAccess("isAuthenticated()");
}
}
ResourceServer
gradle
plugins {
id 'org.springframework.boot' version '2.1.4.RELEASE'
id 'java'
}
...
dependencies {
...
/** Spring Security **/
implementation 'org.springframework.boot:spring-boot-starter-security'
// https://mvnrepository.com/artifact/org.springframework.security.oauth.boot/spring-security-oauth2-autoconfigure
compile group: 'org.springframework.security.oauth.boot', name: 'spring-security-oauth2-autoconfigure', version: '2.1.4.RELEASE'
// https://mvnrepository.com/artifact/org.springframework.security/spring-security-oauth2-resource-server
//compile group: 'org.springframework.security', name: 'spring-security-oauth2-resource-server', version: '5.1.5.RELEASE'
}
application.yml
...
security:
oauth2:
resource:
token-info-uri: http://localhost:8082/oauth/check_token
ResourceServerConfigurerAdapter config
#Configuration
#EnableResourceServer
public class ResourceServerConfigurerAdapterImpl extends ResourceServerConfigurerAdapter {
#Override
public void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/me").access("#oauth2.hasScope('read')");
}
#Primary
#Bean
public RemoteTokenServices tokenService() {
RemoteTokenServices tokenService = new RemoteTokenServices();
tokenService.setCheckTokenEndpointUrl("http://localhost:8082/oauth/check_token");
tokenService.setClientId("foo");
tokenService.setClientSecret("bar");
return tokenService;
}
}
and following is screenshot for infinitely looping after login.
infinitely image
how can i fix this? and i'm spring boot & security newbie.
There are several problems with your code. Among them:
You need to have a specific context path for each project (because the session tracking is cookie based and each session cookie must have a unique path)
There is no /me path mapping on resource server
The redirectUri should have the format <client_url>/login/oauth2/code/<provider_name>
I have made a pull request for each or your projects that fixed the issues.
For an example of OAUTH2 with String Boot take a look here
If you find something unclear with the modifications I have made, feel free to ask me.
I'm trying to repeat the "Spring Boot and OAuth2" example from tutorial.
I run the example with "gradlew bootRun".
It is working on Windows without problems, but I having an issue on Ubuntu 14.04.
When I clicked on "login" button the service doesn't perform a redirect to the authorization server (e.g. facebook), and after several minutes return with time-out.
The service's log contains the following lines:
o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'GET /login' doesn't match 'POST /logout
o.s.security.web.FilterChainProxy : /login at position 6 of 12 in additional filter chain; firing Filter: 'OAuth2ClientAuthenticationProcessingFilter'
o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/login'; against '/login'
uth2ClientAuthenticationProcessingFilter : Request is to process authentication
I would be grateful for any help.
Thanks.
Source code of tutorial located on github
My source code are given below:
build.gradle
buildscript {
repositories {
mavenCentral()
}
dependencies {
classpath("org.springframework.boot:spring-boot-gradle-plugin:1.4.1.RELEASE")
}
}
apply plugin: 'java'
apply plugin: 'idea'
apply plugin: 'spring-boot'
sourceCompatibility = '1.8'
targetCompatibility = '1.8'
repositories {
mavenCentral()
}
dependencies {
compile("org.springframework.boot:spring-boot-starter-security")
compile("org.springframework.boot:spring-boot-starter-web")
compile("org.springframework.security.oauth:spring-security-oauth2")
compile("org.webjars:webjars-locator")
compile("org.webjars:angularjs:1.4.3")
compile("org.webjars:jquery:2.1.1")
compile("org.webjars:bootstrap:3.2.0")
testCompile group: 'junit', name: 'junit', version: '4.11'
}
application.yml
security:
oauth2:
client:
clientId: 233668646673605
clientSecret: 33b17e044ee6a4fa383f46ec6e28ea1d
accessTokenUri: https://graph.facebook.com/oauth/access_token
userAuthorizationUri: https://www.facebook.com/dialog/oauth
tokenName: oauth_token
authenticationScheme: query
clientAuthenticationScheme: form
resource:
userInfoUri: https://graph.facebook.com/me
logging:
level:
org.springframework.security: DEBUG
SocialApplication.java
#SpringBootApplication
#EnableOAuth2Sso
#RestController
public class SocialApplication extends WebSecurityConfigurerAdapter {
#RequestMapping("/user")
public Principal user(Principal principal) {
return principal;
}
#Override
protected void configure(HttpSecurity http) throws Exception {
http.antMatcher("/**").authorizeRequests().antMatchers("/", "/login**", "/webjars/**").permitAll()
.anyRequest().authenticated()
.and().logout().logoutSuccessUrl("/").permitAll()
.and().csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
}
public static void main(String[] args) {
SpringApplication.run(SocialApplication.class, args);
}
}
The timeout was caused by the secure random call.
The solution for me is the following lines:
bootRun {
jvmArgs = ["-Djava.security.egd=file:/dev/./urandom"]
}