Spring Boot: secure some endpoints with Google Oauth - spring-boot

I try to use Google SSO with a Spring Boot application.
I've added this dependency:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-oauth2-client</artifactId>
</dependency>
and these properties:
spring.security.oauth2.client.registration.google.client-id=...
spring.security.oauth2.client.registration.google.client-secret=...
and it works. When trying to use an endpoint, I'm redirected to Google login screen, and after that I'm able to retrieve the user id on the server side.
Now, when I try to remove authentication for public endpoints, notably Swagger, I do that:
#Configuration
public class SecurityConfiguration {
#Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.authorizeHttpRequests((authz) -> authz
.mvcMatchers("/foo",
"/bar",
"/v3/api-docs/**",
"/swagger-ui/**",
"/swagger-ui.html")
.permitAll()
.anyRequest().authenticated())
.oauth2Client();
return http.csrf().disable().build();
}
}
I can then access public endpoints, but for protected endpoints I get an HTTP 403 without being redirected to the login page! My writing might not be correct, most of docs out there use the deprecated WebSecurityConfigurerAdapter.
In my understanding, I should get a token from Google before calling a secured endpoint. How could I add a "login with Google" button to Swagger and use the token to call a secured endpoint?
The log says:
2022-08-07 11:10:52.122 DEBUG 2830 --- [nio-8080-exec-7] o.a.coyote.http11.Http11InputBuffer : Before fill(): parsingHeader: [true], parsingRequestLine: [true], parsingRequestLinePhase: [0], parsingRequestLineStart: [0], byteBuffer.position(): [0], byteBuffer.limit(): [0], end: [613]
2022-08-07 11:10:52.122 DEBUG 2830 --- [nio-8080-exec-7] o.a.tomcat.util.net.SocketWrapperBase : Socket: [org.apache.tomcat.util.net.NioEndpoint$NioSocketWrapper#1a16ddaf:org.apache.tomcat.util.net.NioChannel#14d1309d:java.nio.channels.SocketChannel[connected local=/[0:0:0:0:0:0:0:1]:8080 remote=/[0:0:0:0:0:0:0:1]:50920]], Read from buffer: [0]
2022-08-07 11:10:52.122 DEBUG 2830 --- [nio-8080-exec-7] org.apache.tomcat.util.net.NioEndpoint : Socket: [org.apache.tomcat.util.net.NioEndpoint$NioSocketWrapper#1a16ddaf:org.apache.tomcat.util.net.NioChannel#14d1309d:java.nio.channels.SocketChannel[connected local=/[0:0:0:0:0:0:0:1]:8080 remote=/[0:0:0:0:0:0:0:1]:50920]], Read direct from socket: [613]
2022-08-07 11:10:52.122 DEBUG 2830 --- [nio-8080-exec-7] o.a.coyote.http11.Http11InputBuffer : Received [GET /foo/ HTTP/1.1
Host: localhost:8080
Connection: keep-alive
sec-ch-ua: ".Not/A)Brand";v="99", "Google Chrome";v="103", "Chromium";v="103"
accept: */*
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
sec-ch-ua-platform: "macOS"
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost:8080/swagger-ui/index.html
Accept-Encoding: gzip, deflate, br
Accept-Language: fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: JSESSIONID=D2C74B3FC7E65CB64D4E6BD87B1172E2
]
2022-08-07 11:10:52.123 DEBUG 2830 --- [nio-8080-exec-7] o.a.t.util.http.Rfc6265CookieProcessor : Cookies: Parsing b[]: JSESSIONID=D2C74B3FC7E65CB64D4E6BD87B1172E2
2022-08-07 11:10:52.123 DEBUG 2830 --- [nio-8080-exec-7] o.a.catalina.connector.CoyoteAdapter : Requested cookie session id is D2C74B3FC7E65CB64D4E6BD87B1172E2
2022-08-07 11:10:52.123 DEBUG 2830 --- [nio-8080-exec-7] o.a.c.authenticator.AuthenticatorBase : Security checking request GET /foo/
2022-08-07 11:10:52.124 DEBUG 2830 --- [nio-8080-exec-7] org.apache.catalina.realm.RealmBase : No applicable constraints defined
2022-08-07 11:10:52.124 DEBUG 2830 --- [nio-8080-exec-7] o.a.c.authenticator.AuthenticatorBase : Not subject to any constraint
2022-08-07 11:10:52.124 DEBUG 2830 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy : Securing GET /foo/
2022-08-07 11:10:52.124 DEBUG 2830 --- [nio-8080-exec-7] s.s.w.c.SecurityContextPersistenceFilter : Set SecurityContextHolder to empty SecurityContext
2022-08-07 11:10:52.124 DEBUG 2830 --- [nio-8080-exec-7] o.s.s.w.s.HttpSessionRequestCache : Loaded matching saved request http://localhost:8080/foo/
2022-08-07 11:10:52.127 DEBUG 2830 --- [nio-8080-exec-7] o.s.s.w.a.AnonymousAuthenticationFilter : Set SecurityContextHolder to anonymous SecurityContext
2022-08-07 11:10:52.128 DEBUG 2830 --- [nio-8080-exec-7] org.apache.tomcat.util.http.Parameters : Set encoding to UTF-8
2022-08-07 11:10:52.128 DEBUG 2830 --- [nio-8080-exec-7] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped to tools.t.s.FooController#helloWorld()
2022-08-07 11:10:52.129 DEBUG 2830 --- [nio-8080-exec-7] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped to tools.t.s.FooController#helloWorld()
2022-08-07 11:10:52.129 DEBUG 2830 --- [nio-8080-exec-7] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped to tools.t.s.FooController#helloWorld()
2022-08-07 11:10:52.129 DEBUG 2830 --- [nio-8080-exec-7] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped to tools.t.s.FooController#helloWorld()
2022-08-07 11:10:52.129 DEBUG 2830 --- [nio-8080-exec-7] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped to tools.t.s.FooController#helloWorld()
2022-08-07 11:10:52.129 DEBUG 2830 --- [nio-8080-exec-7] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped to tools.t.s.FooController#helloWorld()
2022-08-07 11:10:52.129 DEBUG 2830 --- [nio-8080-exec-7] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped to tools.t.s.FooController#helloWorld()
2022-08-07 11:10:52.130 DEBUG 2830 --- [nio-8080-exec-7] o.s.s.w.s.HttpSessionRequestCache : Saved request http://localhost:8080/foo/ to session
2022-08-07 11:10:52.130 DEBUG 2830 --- [nio-8080-exec-7] o.s.s.w.a.Http403ForbiddenEntryPoint : Pre-authenticated entry point called. Rejecting access
2022-08-07 11:10:52.130 DEBUG 2830 --- [nio-8080-exec-7] w.c.HttpSessionSecurityContextRepository : Did not store empty SecurityContext
2022-08-07 11:10:52.130 DEBUG 2830 --- [nio-8080-exec-7] w.c.HttpSessionSecurityContextRepository : Did not store empty SecurityContext
2022-08-07 11:10:52.131 DEBUG 2830 --- [nio-8080-exec-7] s.s.w.c.SecurityContextPersistenceFilter : Cleared SecurityContextHolder to complete request
2022-08-07 11:10:52.131 DEBUG 2830 --- [nio-8080-exec-7] o.a.c.c.C.[Tomcat].[localhost] : Processing ErrorPage[errorCode=0, location=/error]
2022-08-07 11:10:52.131 DEBUG 2830 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy : Securing GET /error
2022-08-07 11:10:52.131 DEBUG 2830 --- [nio-8080-exec-7] s.s.w.c.SecurityContextPersistenceFilter : Set SecurityContextHolder to empty SecurityContext
2022-08-07 11:10:52.131 DEBUG 2830 --- [nio-8080-exec-7] o.s.s.w.a.AnonymousAuthenticationFilter : Set SecurityContextHolder to anonymous SecurityContext
2022-08-07 11:10:52.131 DEBUG 2830 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy : Secured GET /error
2022-08-07 11:10:52.132 DEBUG 2830 --- [nio-8080-exec-7] w.c.HttpSessionSecurityContextRepository : Did not store anonymous SecurityContext
2022-08-07 11:10:52.132 DEBUG 2830 --- [nio-8080-exec-7] w.c.HttpSessionSecurityContextRepository : Did not store anonymous SecurityContext
2022-08-07 11:10:52.132 DEBUG 2830 --- [nio-8080-exec-7] s.s.w.c.SecurityContextPersistenceFilter : Cleared SecurityContextHolder to complete request
2022-08-07 11:10:52.132 DEBUG 2830 --- [nio-8080-exec-7] o.a.c.c.C.[.[.[/].[dispatcherServlet] : Disabling the response for further output
2022-08-07 11:10:52.133 DEBUG 2830 --- [nio-8080-exec-7] o.a.coyote.http11.Http11InputBuffer : Before fill(): parsingHeader: [true], parsingRequestLine: [true], parsingRequestLinePhase: [0], parsingRequestLineStart: [0], byteBuffer.position(): [0], byteBuffer.limit(): [0], end: [613]
2022-08-07 11:10:52.133 DEBUG 2830 --- [nio-8080-exec-7] o.a.tomcat.util.net.SocketWrapperBase : Socket: [org.apache.tomcat.util.net.NioEndpoint$NioSocketWrapper#1a16ddaf:org.apache.tomcat.util.net.NioChannel#14d1309d:java.nio.channels.SocketChannel[connected local=/[0:0:0:0:0:0:0:1]:8080 remote=/[0:0:0:0:0:0:0:1]:50920]], Read from buffer: [0]
2022-08-07 11:10:52.133 DEBUG 2830 --- [nio-8080-exec-7] org.apache.tomcat.util.net.NioEndpoint : Socket: [org.apache.tomcat.util.net.NioEndpoint$NioSocketWrapper#1a16ddaf:org.apache.tomcat.util.net.NioChannel#14d1309d:java.nio.channels.SocketChannel[connected local=/[0:0:0:0:0:0:0:1]:8080 remote=/[0:0:0:0:0:0:0:1]:50920]], Read direct from socket: [0]
2022-08-07 11:10:52.133 DEBUG 2830 --- [nio-8080-exec-7] o.a.coyote.http11.Http11InputBuffer : Received []
2022-08-07 11:10:52.133 DEBUG 2830 --- [nio-8080-exec-7] o.apache.coyote.http11.Http11Processor : Socket: [org.apache.tomcat.util.net.NioEndpoint$NioSocketWrapper#1a16ddaf:org.apache.tomcat.util.net.NioChannel#14d1309d:java.nio.channels.SocketChannel[connected local=/[0:0:0:0:0:0:0:1]:8080 remote=/[0:0:0:0:0:0:0:1]:50920]], Status in: [OPEN_READ], State out: [OPEN]
2022-08-07 11:10:52.133 DEBUG 2830 --- [nio-8080-exec-7] org.apache.tomcat.util.net.NioEndpoint : Registered read interest for [org.apache.tomcat.util.net.NioEndpoint$NioSocketWrapper#1a16ddaf:org.apache.tomcat.util.net.NioChannel#14d1309d:java.nio.channels.SocketChannel[connected local=/[0:0:0:0:0:0:0:1]:8080 remote=/[0:0:0:0:0:0:0:1]:50920]]
2022-08-07 11:11:10.393 DEBUG 2830 --- [l-1 housekeeper] com.zaxxer.hikari.pool.HikariPool : HikariPool-1 - Pool stats (total=10, active=0, idle=10, waiting=0)
2022-08-07 11:11:10.393 DEBUG 2830 --- [l-1 housekeeper] com.zaxxer.hikari.pool.HikariPool : HikariPool-1 - Fill pool skipped, pool is at sufficient level.


I've changed .oauth2Client(); to .oauth2Login(); and it works.

Related

After migration to SpringBoot 3 REST endpoint works but returns 401 for Mono<ResponseEntity<String>>

I have a strange problem. I migrated a SpringBoot 2.7.7 application to SpringBoot 3.0.2.
In some controllers I defined endpoints which return a Mono<ResponseEntity<String>>.
A service for example declares a function to send an eMail via webclient like this:
fun sendMail(mail: Mail): Mono<String> {
return factory.requestFor(mail)
.retrieve()
.toBodilessEntity()
.map { "${it.statusCode}: ${it.body}" }
.doOnSuccess { logger.debug("Request successful: $it") }
.doOnError { logger.error("Error occured sending an email: ${it.message}") }
}
The controller calls the service like that:
#PostMapping("/mail")
fun sendTestMail(#RequestBody mail: TestMail): Mono<ResponseEntity<String>> {
return sampleService.sendMail(mail)
.map {
ResponseEntity.ok("")
}
.onErrorResume {
return#onErrorResume Mono.just(
ResponseEntity
.status(HttpStatus.INTERNAL_SERVER_ERROR)
.body(it.localizedMessage)
)
}
}
As stated in the title, this code works with SpringBoot 2.7.7 and returns http 200. However with SpringBoot 3.0.2 all code gets executed, the mail is send but the REST endpoint returns http 401.
If the request is not authenticated with a jwt token my auth filter works correctly and rejects the request. The #PreAuthorize annotation also works and rejects requests with a faulty role.
I am not sure if I missed any migration topics for webclient calls.
Update SpringSecurity TRACE logs:
2023-02-16 12:50:32.074 =TRACE n/a --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy : Trying to match request against DefaultSecurityFilterChain [RequestMatcher=Or [Mvc [pattern='/actuator/**'], Mvc [pattern='/v3/api-docs/**'], Mvc [pattern='/swagger/**']], Filters=[org.springframework.security.web.session.DisableEncodeUrlFilter#2c82ba48, org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter#304a572b, org.springframework.security.web.context.SecurityContextHolderFilter#16cfb949, org.springframework.security.web.header.HeaderWriterFilter#2f83993e, org.springframework.security.web.authentication.logout.LogoutFilter#71c63303, org.springframework.security.web.authentication.www.BasicAuthenticationFilter#ef244cf, org.springframework.security.web.savedrequest.RequestCacheAwareFilter#2bd4bd7a, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter#182d9b57, org.springframework.security.web.authentication.AnonymousAuthenticationFilter#62c46e54, org.springframework.security.web.session.SessionManagementFilter#2cbc1036, org.springframework.security.web.access.ExceptionTranslationFilter#3ea070ca, org.springframework.security.web.access.intercept.AuthorizationFilter#741a2b1b]] (1/2)
2023-02-16 12:50:32.075 =TRACE n/a --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy : Trying to match request against DefaultSecurityFilterChain [RequestMatcher=any request, Filters=[org.springframework.security.web.session.DisableEncodeUrlFilter#5048d2e6, org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter#d701f6f, org.springframework.security.web.context.SecurityContextHolderFilter#388f1f0d, org.springframework.security.web.header.HeaderWriterFilter#63fa5fb5, com..config.FilterChainExceptionHandler#759b5453, com.config.JwtAuthTokenFilter#1fc978f1, org.springframework.security.web.authentication.logout.LogoutFilter#3bfe17d3, org.springframework.security.web.savedrequest.RequestCacheAwareFilter#3381b921, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter#2edc4925, org.springframework.security.web.authentication.AnonymousAuthenticationFilter#900560c, org.springframework.security.web.session.SessionManagementFilter#547d3cca, org.springframework.security.web.access.ExceptionTranslationFilter#f114f2b, org.springframework.security.web.access.intercept.AuthorizationFilter#6c1f390c]] (2/2)
2023-02-16 12:50:32.075 =DEBUG n/a --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy : Securing POST /initpasswordreset
2023-02-16 12:50:32.075 =TRACE n/a --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy : Invoking DisableEncodeUrlFilter (1/13)
2023-02-16 12:50:32.075 =TRACE n/a --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy : Invoking WebAsyncManagerIntegrationFilter (2/13)
2023-02-16 12:50:32.075 =TRACE n/a --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy : Invoking SecurityContextHolderFilter (3/13)
2023-02-16 12:50:32.075 =TRACE n/a --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy : Invoking HeaderWriterFilter (4/13)
2023-02-16 12:50:32.075 =TRACE n/a --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy : Invoking FilterChainExceptionHandler (5/13)
2023-02-16 12:50:32.075 =TRACE n/a --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy : Invoking JwtAuthTokenFilter (6/13)
2023-02-16 12:50:32.109 =TRACE n/a --- [nio-8080-exec-7] .s.s.w.c.SupplierDeferredSecurityContext : Created SecurityContextImpl [Null authentication]
2023-02-16 12:50:32.120 = INFO n/a --- [nio-8080-exec-7] c.e.auth.RefreshTokenService : Update RefreshToken validFrom for user test
2023-02-16 12:50:32.135 =DEBUG n/a --- [nio-8080-exec-7] c.e.config.JwtAuthTokenFilter : API request to </initpasswordreset> with token <true>
2023-02-16 12:50:32.135 =TRACE n/a --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy : Invoking LogoutFilter (7/13)
2023-02-16 12:50:32.135 =TRACE n/a --- [nio-8080-exec-7] o.s.s.w.a.logout.LogoutFilter : Did not match request to Or [Ant [pattern='/logout', GET], Ant [pattern='/logout', POST], Ant [pattern='/logout', PUT], Ant [pattern='/logout', DELETE]]
2023-02-16 12:50:32.135 =TRACE n/a --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy : Invoking RequestCacheAwareFilter (8/13)
2023-02-16 12:50:32.135 =TRACE n/a --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy : Invoking SecurityContextHolderAwareRequestFilter (9/13)
2023-02-16 12:50:32.135 =TRACE n/a --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy : Invoking AnonymousAuthenticationFilter (10/13)
2023-02-16 12:50:32.135 =TRACE n/a --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy : Invoking SessionManagementFilter (11/13)
2023-02-16 12:50:32.135 =TRACE n/a --- [nio-8080-exec-7] o.s.s.w.a.AnonymousAuthenticationFilter : Did not set SecurityContextHolder since already authenticated UsernamePasswordAuthenticationToken [Principal=org.springframework.security.core.userdetails.User [Username=test, Password=[PROTECTED], Enabled=true, AccountNonExpired=true, credentialsNonExpired=true, AccountNonLocked=true, Granted Authorities=[ROLE_APP_USER, ROLE_USER]], Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=0:0:0:0:0:0:0:1, SessionId=null], Granted Authorities=[ROLE_APP_USER, ROLE_USER]]
2023-02-16 12:50:32.135 =TRACE n/a --- [nio-8080-exec-7] s.CompositeSessionAuthenticationStrategy : Preparing session with ChangeSessionIdAuthenticationStrategy (1/1)
2023-02-16 12:50:32.135 =TRACE n/a --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy : Invoking ExceptionTranslationFilter (12/13)
2023-02-16 12:50:32.135 =TRACE n/a --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy : Invoking AuthorizationFilter (13/13)
2023-02-16 12:50:32.136 =DEBUG n/a --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy : Secured POST /initpasswordreset
2023-02-16 12:50:32.149 =DEBUG n/a --- [nio-8080-exec-7] horizationManagerBeforeMethodInterceptor : Authorizing method invocation ReflectiveMethodInvocation: public java.lang.String com.passwordreset.rest.ResetTokenService.createPasswordResetTokenForUser(comuser.domain.User); target is of class [com.passwordreset.rest.ResetTokenService]
2023-02-16 12:50:32.150 =DEBUG n/a --- [nio-8080-exec-7] horizationManagerBeforeMethodInterceptor : Authorized method invocation ReflectiveMethodInvocation: public java.lang.String com.passwordreset.rest.ResetTokenService.createPasswordResetTokenForUser(com.user.domain.User); target is of class [com.passwordreset.rest.ResetTokenService]
2023-02-16 12:50:32.168 =TRACE n/a --- [nio-8080-exec-7] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match request to [Is Secure]
2023-02-16T12:50:32.290+01:00 =DEBUG 80044 --- [ctor-http-nio-4] r.netty.http.client.HttpClientConnect : [91ad2cec-1, L:/ip:port - R:test-servicegateway.test.com/195.35.76.39:443] Handler is being applied: {uri=https://servicegateway.test.com/api, method=POST}
2023-02-16T12:50:32.371+01:00 =DEBUG 80044 --- [ctor-http-nio-4] r.n.http.client.HttpClientOperations : [91ad2cec-1, L:/ip:port - R:test-servicegateway.test.com/195.35.76.39:443] Received response (auto-read:false) : RESPONSE(decodeResult: success, version: HTTP/1.1)
HTTP/1.1 200 OK
Strict-Transport-Security: <filtered>
X-XSS-Protection: <filtered>
X-Content-Type-Options: <filtered>
Date: <filtered>
Server: <filtered>
X-Backside-Transport: <filtered>
Content-Type: <filtered>
X-Global-Transaction-ID: <filtered>
Content-Length: <filtered>
2023-02-16T12:50:32.372+01:00 =DEBUG 80044 --- [ctor-http-nio-4] r.n.http.client.HttpClientOperations : [91ad2cec-1, L:/ip:port - R:test-servicegateway.test.com/ip:443] Received last HTTP packet
2023-02-16 12:50:32.372 =DEBUG n/a --- [ctor-http-nio-4] c.e.adapters.mail.MailClient : Request successful: 200 OK: null
2023-02-16 12:50:32.372 =TRACE n/a --- [nio-8080-exec-8] o.s.security.web.FilterChainProxy : Trying to match request against DefaultSecurityFilterChain [RequestMatcher=Or [Mvc [pattern='/actuator/**'], Mvc [pattern='/v3/api-docs/**'], Mvc [pattern='/swagger/**']], Filters=[org.springframework.security.web.session.DisableEncodeUrlFilter#2c82ba48, org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter#304a572b, org.springframework.security.web.context.SecurityContextHolderFilter#16cfb949, org.springframework.security.web.header.HeaderWriterFilter#2f83993e, org.springframework.security.web.authentication.logout.LogoutFilter#71c63303, org.springframework.security.web.authentication.www.BasicAuthenticationFilter#ef244cf, org.springframework.security.web.savedrequest.RequestCacheAwareFilter#2bd4bd7a, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter#182d9b57, org.springframework.security.web.authentication.AnonymousAuthenticationFilter#62c46e54, org.springframework.security.web.session.SessionManagementFilter#2cbc1036, org.springframework.security.web.access.ExceptionTranslationFilter#3ea070ca, org.springframework.security.web.access.intercept.AuthorizationFilter#741a2b1b]] (1/2)
2023-02-16 12:50:32.373 =TRACE n/a --- [nio-8080-exec-8] o.s.security.web.FilterChainProxy : Trying to match request against DefaultSecurityFilterChain [RequestMatcher=any request, Filters=[org.springframework.security.web.session.DisableEncodeUrlFilter#5048d2e6, org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter#d701f6f, org.springframework.security.web.context.SecurityContextHolderFilter#388f1f0d, org.springframework.security.web.header.HeaderWriterFilter#63fa5fb5, com..config.FilterChainExceptionHandler#759b5453, com.config.JwtAuthTokenFilter#1fc978f1, org.springframework.security.web.authentication.logout.LogoutFilter#3bfe17d3, org.springframework.security.web.savedrequest.RequestCacheAwareFilter#3381b921, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter#2edc4925, org.springframework.security.web.authentication.AnonymousAuthenticationFilter#900560c, org.springframework.security.web.session.SessionManagementFilter#547d3cca, org.springframework.security.web.access.ExceptionTranslationFilter#f114f2b, org.springframework.security.web.access.intercept.AuthorizationFilter#6c1f390c]] (2/2)
2023-02-16 12:50:32.373 =DEBUG n/a --- [nio-8080-exec-8] o.s.security.web.FilterChainProxy : Securing POST /initpasswordreset
2023-02-16 12:50:32.373 =TRACE n/a --- [nio-8080-exec-8] o.s.security.web.FilterChainProxy : Invoking DisableEncodeUrlFilter (1/13)
2023-02-16 12:50:32.373 =TRACE n/a --- [nio-8080-exec-8] o.s.security.web.FilterChainProxy : Invoking WebAsyncManagerIntegrationFilter (2/13)
2023-02-16 12:50:32.373 =TRACE n/a --- [nio-8080-exec-8] o.s.security.web.FilterChainProxy : Invoking SecurityContextHolderFilter (3/13)
2023-02-16 12:50:32.373 =TRACE n/a --- [nio-8080-exec-8] o.s.security.web.FilterChainProxy : Invoking HeaderWriterFilter (4/13)
2023-02-16 12:50:32.373 =TRACE n/a --- [nio-8080-exec-8] o.s.security.web.FilterChainProxy : Invoking FilterChainExceptionHandler (5/13)
2023-02-16 12:50:32.373 =TRACE n/a --- [nio-8080-exec-8] o.s.security.web.FilterChainProxy : Invoking JwtAuthTokenFilter (6/13)
2023-02-16 12:50:32.373 =TRACE n/a --- [nio-8080-exec-8] o.s.security.web.FilterChainProxy : Invoking LogoutFilter (7/13)
2023-02-16 12:50:32.373 =TRACE n/a --- [nio-8080-exec-8] o.s.s.w.a.logout.LogoutFilter : Did not match request to Or [Ant [pattern='/logout', GET], Ant [pattern='/logout', POST], Ant [pattern='/logout', PUT], Ant [pattern='/logout', DELETE]]
2023-02-16 12:50:32.373 =TRACE n/a --- [nio-8080-exec-8] o.s.security.web.FilterChainProxy : Invoking RequestCacheAwareFilter (8/13)
2023-02-16 12:50:32.373 =TRACE n/a --- [nio-8080-exec-8] o.s.security.web.FilterChainProxy : Invoking SecurityContextHolderAwareRequestFilter (9/13)
2023-02-16 12:50:32.373 =TRACE n/a --- [nio-8080-exec-8] o.s.security.web.FilterChainProxy : Invoking AnonymousAuthenticationFilter (10/13)
2023-02-16 12:50:32.373 =TRACE n/a --- [nio-8080-exec-8] o.s.security.web.FilterChainProxy : Invoking SessionManagementFilter (11/13)
2023-02-16 12:50:32.373 =TRACE n/a --- [nio-8080-exec-8] o.s.security.web.FilterChainProxy : Invoking ExceptionTranslationFilter (12/13)
2023-02-16 12:50:32.373 =TRACE n/a --- [nio-8080-exec-8] o.s.security.web.FilterChainProxy : Invoking AuthorizationFilter (13/13)
2023-02-16 12:50:32.374 =TRACE n/a --- [nio-8080-exec-8] .s.s.w.c.SupplierDeferredSecurityContext : Created SecurityContextImpl [Null authentication]
2023-02-16 12:50:32.374 =TRACE n/a --- [nio-8080-exec-8] o.s.s.w.a.AnonymousAuthenticationFilter : Set SecurityContextHolder to AnonymousAuthenticationToken [Principal=anonymousUser, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=0:0:0:0:0:0:0:1, SessionId=null], Granted Authorities=[ROLE_ANONYMOUS]]
I am not sure why the chain is excuted again after the business logic is executed. Do I need to persist the SecurityContext in this case manually?

How to make swagger work with Spring boot and ssl?

I have a Spring boot app and I am trying to add swagger to it.
However, after activating SSL, swagger cannot load the resources.
The dependencies I am using in gradle are
implementation("org.springdoc:springdoc-openapi-ui:1.6.6")
implementation("org.springdoc:springdoc-openapi-kotlin:1.6.6")
implementation("org.springdoc:springdoc-openapi-security:1.6.6")
There might be a problem with my HttpSecurityConfig
override fun configure(http: HttpSecurity?) {
http!!.csrf().disable()
.sessionManagement().sessionCreationPolicy(STATELESS)
.and()
.requiresChannel {
it.anyRequest().requiresSecure()
}
.authorizeRequests().antMatchers("auth/refresh")
.permitAll()
.and()
.formLogin()
.loginPage("/login")
.permitAll()
.successForwardUrl("/home")
.and()
.addFilter(CustomAuthenticationManager(authenticationManagerBean(), jwtService, encoder()))
.addFilterBefore(
JwtAuthenticationFilter(userDetailsService, jwtService, JWT_AUTH_WHITELIST, SWAGGER_WHITELIST_PREFIX),
UsernamePasswordAuthenticationFilter::class.java
)
}
I have tried adding a swagger whitelist or something, but still doesn't resolve the issue.
I have tried configuring web security like that
override fun configure(web: WebSecurity?) {
web!!.ignoring()
// allow anonymous resource requests
.antMatchers(
HttpMethod.GET,
"/",
"/v3/api-docs", // swagger
"/webjars/**", // swagger-ui webjars
"/swagger-resources/**", // swagger-ui resources
"/configuration/**", // swagger configuration
"/*.html",
"/favicon.ico",
"/**/*.html",
"/**/*.css",
"/**/*.js",
"/swagger-ui/"
)
}
but to no avail.
As for the properties that I am using for the ssl config
server.ssl.key-store=classpath:springboot.p12
server.ssl.key-store-password=password
server.ssl.key-store-type=pkcs12
server.ssl.key-password=password
server.ssl.enabled=true
server.port=8443
And the debug message upon every attempt to go to the swagger home page is
2022-03-24 21:14:49.167 INFO 124836 --- [nio-8443-exec-4] o.a.c.c.C.[Tomcat].[localhost].[/] : Initializing Spring DispatcherServlet 'dispatcherServlet'
2022-03-24 21:14:49.167 INFO 124836 --- [nio-8443-exec-4] o.s.web.servlet.DispatcherServlet : Initializing Servlet 'dispatcherServlet'
2022-03-24 21:14:49.167 DEBUG 124836 --- [nio-8443-exec-4] o.s.web.servlet.DispatcherServlet : Detected StandardServletMultipartResolver
2022-03-24 21:14:49.167 DEBUG 124836 --- [nio-8443-exec-4] o.s.web.servlet.DispatcherServlet : Detected AcceptHeaderLocaleResolver
2022-03-24 21:14:49.167 DEBUG 124836 --- [nio-8443-exec-4] o.s.web.servlet.DispatcherServlet : Detected FixedThemeResolver
2022-03-24 21:14:49.170 DEBUG 124836 --- [nio-8443-exec-4] o.s.web.servlet.DispatcherServlet : Detected org.springframework.web.servlet.view.DefaultRequestToViewNameTranslator#6a175162
2022-03-24 21:14:49.171 DEBUG 124836 --- [nio-8443-exec-4] o.s.web.servlet.DispatcherServlet : Detected org.springframework.web.servlet.support.SessionFlashMapManager#6da86e98
2022-03-24 21:14:49.171 DEBUG 124836 --- [nio-8443-exec-4] o.s.web.servlet.DispatcherServlet : enableLoggingRequestDetails='false': request parameters and headers will be masked to prevent unsafe logging of potentially sensitive data
2022-03-24 21:14:49.171 INFO 124836 --- [nio-8443-exec-4] o.s.web.servlet.DispatcherServlet : Completed initialization in 4 ms
2022-03-24 21:14:49.217 DEBUG 124836 --- [nio-8443-exec-4] o.s.web.servlet.DispatcherServlet : GET "/swagger-ui/", parameters={}
2022-03-24 21:14:49.240 DEBUG 124836 --- [nio-8443-exec-4] o.s.w.s.handler.SimpleUrlHandlerMapping : Mapped to ResourceHttpRequestHandler [classpath [META-INF/resources/webjars/]]
2022-03-24 21:14:49.249 DEBUG 124836 --- [nio-8443-exec-4] o.s.w.s.r.ResourceHttpRequestHandler : Resource not found
2022-03-24 21:14:49.250 DEBUG 124836 --- [nio-8443-exec-4] o.s.web.servlet.DispatcherServlet : Completed 404 NOT_FOUND
2022-03-24 21:14:49.260 DEBUG 124836 --- [nio-8443-exec-4] o.s.security.web.FilterChainProxy : Securing GET /error
2022-03-24 21:14:49.263 DEBUG 124836 --- [nio-8443-exec-4] o.s.s.w.a.c.ChannelProcessingFilter : Request: filter invocation [GET /error]; ConfigAttributes: [REQUIRES_SECURE_CHANNEL]
2022-03-24 21:14:49.265 DEBUG 124836 --- [nio-8443-exec-4] s.s.w.c.SecurityContextPersistenceFilter : Set SecurityContextHolder to empty SecurityContext
2022-03-24 21:14:49.268 DEBUG 124836 --- [nio-8443-exec-4] o.s.s.w.a.AnonymousAuthenticationFilter : Set SecurityContextHolder to anonymous SecurityContext
2022-03-24 21:14:49.269 DEBUG 124836 --- [nio-8443-exec-4] o.s.s.w.session.SessionManagementFilter : Request requested invalid session id 16CDDEC21653310720625F5BEF0EF604
2022-03-24 21:14:49.270 DEBUG 124836 --- [nio-8443-exec-4] o.s.s.w.a.i.FilterSecurityInterceptor : Authorized public object filter invocation [GET /error]
2022-03-24 21:14:49.272 DEBUG 124836 --- [nio-8443-exec-4] o.s.security.web.FilterChainProxy : Secured GET /error
2022-03-24 21:14:49.272 DEBUG 124836 --- [nio-8443-exec-4] o.s.web.servlet.DispatcherServlet : "ERROR" dispatch for GET "/error", parameters={}
2022-03-24 21:14:49.277 DEBUG 124836 --- [nio-8443-exec-4] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped to org.springframework.boot.autoconfigure.web.servlet.error.BasicErrorController#errorHtml(HttpServletRequest, HttpServletResponse)
2022-03-24 21:14:49.318 DEBUG 124836 --- [nio-8443-exec-4] o.s.w.s.v.ContentNegotiatingViewResolver : Selected 'text/html' given [text/html, text/html;q=0.8]
2022-03-24 21:14:49.326 DEBUG 124836 --- [nio-8443-exec-4] o.s.web.servlet.DispatcherServlet : Exiting from "ERROR" dispatch, status 404
2022-03-24 21:14:49.326 DEBUG 124836 --- [nio-8443-exec-4] s.s.w.c.SecurityContextPersistenceFilter : Cleared SecurityContextHolder to complete request
I have tried following other SO answers, like configuring web mvc configures, adding resource and location handlers, but to no avail. If I switch off the ssl, everything works just fine.
As far as I understand the issue is the access to the internal resources or maybe the path the resources.
Maybe I could bypass it by having it run on a different app?

Unable to fetch the view file

On making a GET Request which returns a ModelAndView Object I am getting the following error
: GET "/tweet2?email=tim#gmail.com", parameters={masked} 2022-03-08
11:04:45.459 DEBUG 46576 --- [nio-8080-exec-3]
s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped to
com.example.demo.RestAPIExample#getTweetsByEmail(String) 2022-03-08
11:04:45.464 DEBUG 46576 --- [nio-8080-exec-3]
o.s.w.s.v.ContentNegotiatingViewResolver : Selected '/' given [/]
2022-03-08 11:04:45.464 DEBUG 46576 --- [nio-8080-exec-3]
o.s.w.servlet.view.InternalResourceView : View name 'tweets', model
{tweets=[com.example.demo.Tweet#3a7a85cb]} 2022-03-08 11:04:45.465
DEBUG 46576 --- [nio-8080-exec-3]
o.s.w.servlet.view.InternalResourceView : Forwarding to [tweets]
2022-03-08 11:04:45.467 DEBUG 46576 --- [nio-8080-exec-3]
o.s.web.servlet.DispatcherServlet : "FORWARD" dispatch for GET
"/tweets?email=tim#gmail.com", parameters={masked} 2022-03-08
11:04:45.470 DEBUG 46576 --- [nio-8080-exec-3]
o.s.w.s.handler.SimpleUrlHandlerMapping : Mapped to
ResourceHttpRequestHandler [classpath [META-INF/resources/], classpath
[resources/], classpath [static/], classpath [public/], ServletContext
[/]] 2022-03-08 11:04:45.472 DEBUG 46576 --- [nio-8080-exec-3]
o.s.w.s.r.ResourceHttpRequestHandler : Resource not found
2022-03-08 11:04:45.473 DEBUG 46576 --- [nio-8080-exec-3]
o.s.web.servlet.DispatcherServlet : Exiting from "FORWARD"
dispatch, status 404 2022-03-08 11:04:45.473 DEBUG 46576 ---
[nio-8080-exec-3] o.s.web.servlet.DispatcherServlet : Completed
404 NOT_FOUND 2022-03-08 11:04:45.474 DEBUG 46576 ---
[nio-8080-exec-3] o.s.web.servlet.DispatcherServlet : "ERROR"
dispatch for GET "/error?email=tim#gmail.com", parameters={masked}
2022-03-08 11:04:45.475 DEBUG 46576 --- [nio-8080-exec-3]
s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped to
org.springframework.boot.autoconfigure.web.servlet.error.BasicErrorController#error(HttpServletRequest)
2022-03-08 11:04:45.482 DEBUG 46576 --- [nio-8080-exec-3]
o.s.w.s.m.m.a.HttpEntityMethodProcessor : Using 'application/json',
given [/] and supported [application/json, application/+json,
application/json, application/+json] 2022-03-08 11:04:45.483 DEBUG
46576 --- [nio-8080-exec-3] o.s.w.s.m.m.a.HttpEntityMethodProcessor :
Writing [{timestamp=Tue Mar 08 11:04:45 IST 2022, status=404,
error=Not Found, path=/tweet2}] 2022-03-08 11:04:45.497 DEBUG 46576
--- [nio-8080-exec-3] o.s.web.servlet.DispatcherServlet : Exiting from "ERROR" dispatch, status 404
Here is the code I wrote:
#GetMapping("/tweet2")
public ModelAndView getTweetsByEmail(#RequestParam String email) {
ModelAndView modelAndView = new ModelAndView("tweets");
List<Tweet> tweets = tweetMap.get(email);
modelAndView.getModel().put("tweets",tweets);
return modelAndView;
}
And there is a tweets.mustache file under the resources folder. Not sure why its unable to detect it

SAML 2.0 integration with Spring boot application issue

I am trying to integrate a Spring boot based application with and IDp that is using componentSpace lib for SAML.
The Spring application (service provider) working fine with other Idp like Octa. But while integrating with component Space it is facing issues and getting following error.
Differences when I compared the logs with Octa request:
Octa is sending Get request while from component space it is post request.
From Octa I am able to get userid (the login id) but from component space it is comping as anonymousUser.
So my question is can we hit Get request instead of Post. And any reason why it is not setting userId value?
Logs:
2020-12-16 07:00:55.800 TRACE 9144 --- [nio-8443-exec-1] o.s.security.web.FilterChainProxy : No security for POST /saml/sso
2020-12-16 07:00:55.800 TRACE 9144 --- [nio-8443-exec-1] o.s.security.web.FilterChainProxy : Invoking RequestCacheAwareFilter (8/13)
2020-12-16 07:00:55.800 TRACE 9144 --- [nio-8443-exec-1] o.s.s.w.s.HttpSessionRequestCache : No saved request
2020-12-16 07:00:55.800 TRACE 9144 --- [nio-8443-exec-1] o.s.security.web.FilterChainProxy : Invoking SecurityContextHolderAwareRequestFilter (9/13)
2020-12-16 07:00:55.803 TRACE 9144 --- [nio-8443-exec-1] o.s.security.web.FilterChainProxy : Invoking AnonymousAuthenticationFilter (10/13)
2020-12-16 07:00:56.809 TRACE 9144 --- [nio-8443-exec-1] o.s.s.w.a.AnonymousAuthenticationFilter : Set SecurityContextHolder to AnonymousAuthenticationToken [Principal=anonymousUser, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=10.9.109.194, SessionId=null], Granted Authorities=[ROLE_ANONYMOUS]]
2020-12-16 07:00:56.810 TRACE 9144 --- [nio-8443-exec-1] o.s.security.web.FilterChainProxy : Invoking SessionManagementFilter (11/13)
2020-12-16 07:00:56.810 TRACE 9144 --- [nio-8443-exec-1] o.s.security.web.FilterChainProxy : Invoking ExceptionTranslationFilter (12/13)
2020-12-16 07:00:56.810 TRACE 9144 --- [nio-8443-exec-1] o.s.security.web.FilterChainProxy : Invoking FilterSecurityInterceptor (13/13)
2020-12-16 07:00:56.811 TRACE 9144 --- [nio-8443-exec-1] edFilterInvocationSecurityMetadataSource : Did not match request to Ant [pattern='/saml**', OPTIONS] - [hasAnyRole('ROLE_')] (1/2)
2020-12-16 07:00:57.501 TRACE 9144 --- [nio-8443-exec-1] o.s.s.w.a.i.FilterSecurityInterceptor : Did not re-authenticate AnonymousAuthenticationToken [Principal=anonymousUser, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=10.9.109.194, SessionId=null], Granted Authorities=[ROLE_ANONYMOUS]] before authorizing
2020-12-16 07:00:57.502 TRACE 9144 --- [nio-8443-exec-1] o.s.s.w.a.i.FilterSecurityInterceptor : Authorizing filter invocation [POST /saml/sso] with attributes [authenticated]
2020-12-16 07:01:03.577 TRACE 9144 --- [nio-8443-exec-1] o.s.s.w.a.expression.WebExpressionVoter : Voted to deny authorization
2020-12-16 07:01:03.580 TRACE 9144 --- [nio-8443-exec-1] o.s.s.w.a.i.FilterSecurityInterceptor : Failed to authorize filter invocation [POST /saml/sso] with attributes [authenticated] using AffirmativeBased [DecisionVoters=[org.springframework.security.web.access.expression.WebExpressionVoter#24cfcf19], AllowIfAllAbstainDecisions=false]
2020-12-16 07:01:03.709 TRACE 9144 --- [nio-8443-exec-1] o.s.b.f.s.DefaultListableBeanFactory : Returning cached instance of singleton bean 'delegatingApplicationListener'
2020-12-16 07:01:03.709 TRACE 9144 --- [nio-8443-exec-1] o.s.b.f.s.DefaultListableBeanFactory : Returning cached instance of singleton bean 'liveReloadServerEventListener'
2020-12-16 07:01:03.736 TRACE 9144 --- [nio-8443-exec-1] o.s.s.w.a.ExceptionTranslationFilter : Sending AnonymousAuthenticationToken [Principal=anonymousUser, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=10.9.109.194, SessionId=null], Granted Authorities=[ROLE_ANONYMOUS]] to authentication entry point since access is denied
org.springframework.security.access.AccessDeniedException: Access is denied
at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:73) ~[spring-security-core-5.4.1.jar:5.4.1]
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.attemptAuthorization(AbstractSecurityInterceptor.java:238) ~[spring-security-core-5.4.1.jar:5.4.1]
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:208) ~[spring-security-core-5.4.1.jar:5.4.1]
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:113) ~[spring-security-web-5.4.1.jar:5.4.1]

Swagger2 ui not accessbile

I am using Swagger in a Spring boot application,
I somehow can access most of Swagger's endpoints such as /v2/api-docs, /swagger-resources but I can't figure out why /swagger-ui.html is not accessible.
I am using these dependencies:
<dependency>
<groupId>io.springfox</groupId>
<artifactId>springfox-swagger2</artifactId>
</dependency>
<dependency>
<groupId>io.springfox</groupId>
<artifactId>springfox-swagger-ui</artifactId>
</dependency>
here is my Swagger Config class:
#Configuration
#EnableSwagger2
public class SwaggerConfig {
#Bean
public Docket api() {
return new Docket(DocumentationType.SWAGGER_2)
.select()
.apis(RequestHandlerSelectors.basePackage("app.controllers"))
.paths(PathSelectors.any())
.build();
}
}
Here is the interesting part of the log:
2017-12-27 14:12:09.896 DEBUG 10212 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : /springfox/swagger-ui.html at position 12 of 13 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2017-12-27 14:12:09.896 DEBUG 10212 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : /springfox/swagger-ui.html at position 13 of 13 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2017-12-27 14:12:09.897 DEBUG 10212 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/springfox/swagger-ui.html'; against '/'
2017-12-27 14:12:09.897 DEBUG 10212 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/springfox/swagger-ui.html'; against '/v2/api-docs'
2017-12-27 14:12:09.897 DEBUG 10212 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/springfox/swagger-ui.html'; against '/configuration/ui'
2017-12-27 14:12:09.897 DEBUG 10212 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/springfox/swagger-ui.html'; against '/swagger-resources'
2017-12-27 14:12:09.897 DEBUG 10212 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/springfox/swagger-ui.html'; against '/configuration/security'
2017-12-27 14:12:09.897 DEBUG 10212 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/springfox/swagger-ui.html'; against '/swagger-ui.html'
2017-12-27 14:12:09.897 DEBUG 10212 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/springfox/swagger-ui.html'; against '/webjars/**'
2017-12-27 14:12:09.897 DEBUG 10212 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'GET /springfox/swagger-ui.html' doesn't match 'POST /login
2017-12-27 14:12:09.897 DEBUG 10212 --- [nio-8080-exec-1] o.s.s.w.a.i.FilterSecurityInterceptor : Secure object: FilterInvocation: URL: /springfox/swagger-ui.html; Attributes: [authenticated]
2017-12-27 14:12:09.897 DEBUG 10212 --- [nio-8080-exec-1] o.s.s.w.a.i.FilterSecurityInterceptor : Previously Authenticated: org.springframework.security.authentication.UsernamePasswordAuthenticationToken#8f3b828e: Principal: 0001; Credentials: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: ROLE_ADMIN, ROLE_USER
2017-12-27 14:12:09.903 DEBUG 10212 --- [nio-8080-exec-1] o.s.s.access.vote.AffirmativeBased : Voter: org.springframework.security.web.access.expression.WebExpressionVoter#45d0a23, returned: 1
2017-12-27 14:12:09.903 DEBUG 10212 --- [nio-8080-exec-1] o.s.s.w.a.i.FilterSecurityInterceptor : Authorization successful
2017-12-27 14:12:09.903 DEBUG 10212 --- [nio-8080-exec-1] o.s.s.w.a.i.FilterSecurityInterceptor : RunAsManager did not change Authentication object
2017-12-27 14:12:09.903 DEBUG 10212 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : /springfox/swagger-ui.html reached end of additional filter chain; proceeding with original chain
2017-12-27 14:12:09.904 DEBUG 10212 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet : DispatcherServlet with name 'dispatcherServlet' processing GET request for [/springfox/swagger-ui.html]
2017-12-27 14:12:09.906 DEBUG 10212 --- [nio-8080-exec-1] s.w.s.m.m.a.RequestMappingHandlerMapping : Looking up handler method for path /springfox/swagger-ui.html
2017-12-27 14:12:09.919 DEBUG 10212 --- [nio-8080-exec-1] .m.m.a.ExceptionHandlerExceptionResolver : Resolving exception from handler [null]: org.springframework.web.HttpRequestMethodNotSupportedException: Request method 'GET' not supported
2017-12-27 14:12:09.920 DEBUG 10212 --- [nio-8080-exec-1] .w.s.m.a.ResponseStatusExceptionResolver : Resolving exception from handler [null]: org.springframework.web.HttpRequestMethodNotSupportedException: Request method 'GET' not supported
2017-12-27 14:12:09.920 DEBUG 10212 --- [nio-8080-exec-1] .w.s.m.s.DefaultHandlerExceptionResolver : Resolving exception from handler [null]: org.springframework.web.HttpRequestMethodNotSupportedException: Request method 'GET' not supported
2017-12-27 14:12:09.920 WARN 10212 --- [nio-8080-exec-1] o.s.web.servlet.PageNotFound : Request method 'GET' not supported
2017-12-27 14:12:09.921 DEBUG 10212 --- [nio-8080-exec-1] w.c.HttpSessionSecurityContextRepository : SecurityContext 'org.springframework.security.core.context.SecurityContextImpl#8f3b828e: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken#8f3b828e: Principal: 0001; Credentials: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: ROLE_ADMIN, ROLE_USER' stored to HttpSession: 'org.apache.catalina.session.StandardSessionFacade#3bcccd7c
2017-12-27 14:12:09.921 DEBUG 10212 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet : Null ModelAndView returned to DispatcherServlet with name 'dispatcherServlet': assuming HandlerAdapter completed request handling
2017-12-27 14:12:09.921 DEBUG 10212 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet : Successfully completed request
2017-12-27 14:12:09.922 DEBUG 10212 --- [nio-8080-exec-1] o.s.b.f.s.DefaultListableBeanFactory : Returning cached instance of singleton bean 'delegatingApplicationListener'
2017-12-27 14:12:09.923 DEBUG 10212 --- [nio-8080-exec-1] o.s.s.w.a.ExceptionTranslationFilter : Chain processed normally
2017-12-27 14:12:09.923 DEBUG 10212 --- [nio-8080-exec-1] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
2017-12-27 14:12:09.923 DEBUG 10212 --- [nio-8080-exec-1] o.s.b.w.f.OrderedRequestContextFilter : Cleared thread-bound request context: org.apache.catalina.connector.RequestFacade#203209de
2017-12-27 14:12:09.923 DEBUG 10212 --- [nio-8080-exec-1] o.a.c.c.C.[Tomcat].[localhost] : Processing ErrorPage[errorCode=0, location=/error]
2017-12-27 14:12:09.928 DEBUG 10212 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet : DispatcherServlet with name 'dispatcherServlet' processing GET request for [/error]
2017-12-27 14:12:09.928 DEBUG 10212 --- [nio-8080-exec-1] s.w.s.m.m.a.RequestMappingHandlerMapping : Looking up handler method for path /error
2017-12-27 14:12:09.930 DEBUG 10212 --- [nio-8080-exec-1] s.w.s.m.m.a.RequestMappingHandlerMapping : Returning handler method [public org.springframework.http.ResponseEntity io.xhub.secusid.exception.SecusidErrorHandler.error(javax.servlet.http.HttpServletRequest)]
2017-12-27 14:12:09.930 DEBUG 10212 --- [nio-8080-exec-1] o.s.b.f.s.DefaultListableBeanFactory : Returning cached instance of singleton bean 'secusidErrorHandler'
2017-12-27 14:12:09.930 DEBUG 10212 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet : Last-Modified value for [/error] is: -1
2017-12-27 14:12:09.943 DEBUG 10212 --- [nio-8080-exec-1] i.x.s.exception.SecusidErrorHandler : Request method 'GET' not supported
org.springframework.web.HttpRequestMethodNotSupportedException: Request method 'GET' not supported

Try adding a class like this
#Configuration
public class WebMvcConfiguration extends WebMvcConfigurationSupport {
#Override
public void addResourceHandlers(final ResourceHandlerRegistry registry) {
// Make Swagger meta-data available via <baseURL>/v2/api-docs/
registry.addResourceHandler("/webjars/**").addResourceLocations("classpath:/META-INF/resources/webjars/");
// Make Swagger UI available via <baseURL>/swagger-ui.html
registry.addResourceHandler("/**").addResourceLocations("classpath:/META-INF/resources/");
}
}

Resources