Develop Reference

antMatchers(HttpMethod.GET, "path").permitAll() is still 401 unauthorized

I was searching a lot to find solution of my problem but nothing helps.
I am tryng to set up my Spring Security as:
#Override
public void configure(HttpSecurity http) throws Exception {
http
.httpBasic()
.and()
.authorizeRequests()
.antMatchers(HttpMethod.POST, "/shapes").hasAnyAuthority("USER")
.antMatchers(HttpMethod.PUT, "/shapes").hasAnyAuthority("USER")
.antMatchers(HttpMethod.GET, "/shapes").permitAll()
.antMatchers("/users", "/shapes/history").permitAll()
.anyRequest().authenticated()
.and()
.cors()
.and()
.csrf()
.disable();
}
and now:
every request on endpoint /users is open, is not secured
#PostMapping("/shapes") is secured and returns 401 unauthorized
#GetMapping is secured too - it returns 401 error if I not add username and password <- there is problem of that question
/shapes/history is secured too
so the problem has to be here somewhere:
.antMatchers(HttpMethod.POST, "/shapes").hasAnyAuthority("USER")
.antMatchers(HttpMethod.PUT, "/shapes").hasAnyAuthority("USER")
.antMatchers(HttpMethod.GET, "/shapes").permitAll()
I won't to change endpoints, I would like to have #GetMapping and #PostMapping on the /shapes.

Spring Web Security Incorrect Configuration

I am trying to enable basic http authentication for the actuator endpoints while keeping the jwt authentication for the api endpoints. I tried the following configuration for this:
#Override
public void configure(HttpSecurity http) throws Exception {
http.csrf()
.disable()
.anonymous()
.disable()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.antMatcher("/service/actuator/**")
.httpBasic()
.and()
.authorizeRequests()
.antMatchers("/service/api/**")
.authenticated()
.anyRequest()
.authenticated()
.and()
.exceptionHandling()
.authenticationEntryPoint(restAuthenticationEntryPoint);
http.addFilterBefore(jwtTokenFilter, UsernamePasswordAuthenticationFilter.class);
}
However, it appears that I can use the JWT token and basic auth as well for the actuator endpoints while no authentication also works for all the api endpoints.
Did I mess up the order? Is there a better way to do this?

the following worked for me
#Override
public void configure(HttpSecurity http) throws Exception {
http.csrf()
.disable()
.anonymous()
.disable()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.antMatchers("/service/actuator/**")
.permitAll()
.and()
.httpBasic()
.and()
.authorizeRequests()
.antMatchers("/service/api/**")
.authenticated()
.anyRequest()
.authenticated()
.and()
.exceptionHandling()
.authenticationEntryPoint(restAuthenticationEntryPoint);
http.addFilterBefore(jwtTokenFilter, UsernamePasswordAuthenticationFilter.class);
}

Disable multiple logins for same user in spring boot

HttpSessionEventPublisher httpSessionEventPublisher() {
return new HttpSessionEventPublisher();
}
protected void configure(final HttpSecurity http) throws Exception {
http
.cors()
.and()
.csrf()
.disable()
.authorizeRequests()
.antMatchers(
"/getUser",
"/v2/api-docs",
"/configuration/ui",
"/swagger-resources/**",
"/swagger-ui.html",
"/webjars/**"
,"/**/user/reset-password-first-attempt"
,"/**/user/forget-password-email"
,"/**/user/forget-password"
).permitAll()
.mvcMatchers(
"/css/**",
"/images/**",
"/fonts/**").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.successHandler(this.successHandler())
.failureHandler(this.customAuthenticationHandler)
.and()
.logout()
.logoutSuccessHandler(logoutSuccessHandler())
.and()
.exceptionHandling()
.accessDeniedHandler(this.accessDeniedHandler())
.authenticationEntryPoint(this.authenticationEntryPoint())
.and()
.sessionManagement()
.maximumSessions(1).maxSessionsPreventsLogin(true);}
this is the code that i am using to disable multiple logins. i saw some several examples and i tried most of them. but those didnt work in my application. is there any other solution or is there any wrong with my code. thanks in advance

antMatchers that matches any beginning of path

I've got REST service that will be used for authentication. The authentication endpoint will look like /api/v.1/authentication. The API version is a variable that can be changed to reflect updated versions. One example would be /api/v.2/authentication. I like to have an antMatcher that can deal with both these cases so I tried .antMatchers(HttpMethod.POST,"**/authenticate").permitAll() using ** to match any beginning of the endpoint but this doesn't work. The full setup below.
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.csrf().disable()
.authorizeRequests()
.antMatchers(HttpMethod.POST, "**/authenticate").permitAll()
.antMatchers(HttpMethod.GET, "**/get-public-key").permitAll()
.and()
.authorizeRequests()
.antMatchers(HttpMethod.OPTIONS, "/**").permitAll()
.anyRequest().authenticated();
}
Any suggestions how I can solve this?

You have to use absolute pattern, see AntPathMatcher:
Note: a pattern and a path must both be absolute or must both be relative in order for the two to match. Therefore it is recommended that users of this implementation to sanitize patterns in order to prefix them with "/" as it makes sense in the context in which they're used.
Your modified and simplified configuration:
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.csrf().disable()
.authorizeRequests()
.antMatchers(HttpMethod.POST, "/**/authenticate").permitAll()
.antMatchers(HttpMethod.GET, "/**/get-public-key").permitAll()
.antMatchers(HttpMethod.OPTIONS, "/**").permitAll()
.anyRequest().authenticated();
}

Spring Security Ignores all requests when you should just ignore the OPTIONS requests

Before GET/POST request the client make a OPTIONS request, so I keep this calls ignored. But when I make this configuration, the another requests(GET/POST) are ignored too (but should not ignore).
When I add this line:
.antMatchers(HttpMethod.OPTIONS);
All requests are ignored, but the GET/POST should not ignored.
The following is the configuration method:
#Override
public void configure(WebSecurity web) throws Exception {
web.ignoring()
.antMatchers(HttpMethod.POST, "/login")
.antMatchers(HttpMethod.OPTIONS);
}
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.anyRequest().authenticated()
.antMatchers(HttpMethod.OPTIONS).permitAll()
.antMatchers(HttpMethod.GET, "/login/authenticate").authenticated()
.antMatchers(HttpMethod.GET, "/credenciadas**").hasRole(PermissaoEnum.CONSULTAR_CREDENCIADA.getNomeInterno())
.antMatchers(HttpMethod.POST, "/credenciadas/validar").hasRole(PermissaoEnum.CONSULTAR_CREDENCIADA.getNomeInterno())
.antMatchers(HttpMethod.POST, "/credenciadas").hasRole(PermissaoEnum.INCLUIR_CREDENCIADA.getNomeInterno())
.antMatchers(HttpMethod.POST, "/credenciadas/alterar").hasRole(PermissaoEnum.ALTERAR_CREDENCIADA.getNomeInterno())
.antMatchers(HttpMethod.DELETE, "/credenciadas/").hasRole(PermissaoEnum.EXCLUIR_CREDENCIADA.getNomeInterno())
.and()
.addFilterBefore(authenticationByTokenFilter(), UsernamePasswordAuthenticationFilter.class)
.exceptionHandling().authenticationEntryPoint(authenticationEntryPoint())
.and()
.csrf().disable();
}

Could you verify if you set the prefix string at role name as: "ROLE_"? The role name could be wrong.