I'm trying to implement JWT in Spring Boot. For some debugging purposes, I need an H2 console.
So in my WebSecurityConfiguration, I wrote :
#Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
//httpSecurity.headers().frameOptions().disable();
httpSecurity.authorizeRequests().antMatchers("/h2").permitAll();
httpSecurity
.csrf().disable()
.authorizeRequests()
.antMatchers("/auth/check/username").permitAll()
.antMatchers("/auth/signup").permitAll()
.antMatchers("/auth/login").permitAll()
.anyRequest().authenticated().and()
.exceptionHandling().and().sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS);
httpSecurity.addFilterBefore(jwtRequestFilter, UsernamePasswordAuthenticationFilter.class);
}
In my application properties, I have this configuration :
spring.h2.console.enabled=true
spring.h2.console.path=/h2
When I hit ":8080/h2", it gives me 403.
So the question remains, how can I properly configure Spring Boot Web Security.
After including /h2/**, I get this UI :
Please try "h2" pattern as:
httpSecurity.authorizeRequests().antMatchers("/h2/**").permitAll();
And this too :
httpSecurity.headers().frameOptions().disable();
more can found here : How to disable 'X-Frame-Options' response header in Spring Security?
Related
I'm trying to setup my Spring Boot 3.0 / Spring Security 6 app with multiple security configs.
only /oauth/token should use/allow/enforce basic auth
all other endpoints will use/allow/enforce bearer auth
The issue I'm running into is that if I send a GET request to /test with the header Authorization: Basic xxx the basic auth filter is still picking it up.
This is what I have so far. The bearer filter isn't implemented yet, but for the sake of this question, let's assume all other endpoints should be wide open instead. How can I get them to bypass the basic auth filter if a user passes in basic auth header?
#Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.csrf(CsrfConfigurer::disable)
.authorizeHttpRequests()
.requestMatchers("/oauth/token").authenticated()
.anyRequest().permitAll()
.and()
.httpBasic(Customizer.withDefaults());
return http.build();
}
Like this one:
private static final String[] RESOURCE_ARGS = new String[]{
"/test/**"
};
#Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.authorizeHttpRequests()
.requestMatchers(RESOURCE_ARGS).permitAll();
http
.csrf(CsrfConfigurer::disable)
.authorizeHttpRequests()
.requestMatchers("/oauth/token").authenticated()
.anyRequest().permitAll()
.and()
.httpBasic(Customizer.withDefaults());
....
}
I have a requirement where I just need to secure the Swagger UI page. All other endpoints I have written in the application should not be authenticated.
For this, I am using the Spring security starter. I have the Security Config for Spring boot in place. I am trying to authenticate ("/v2/api-docs") because this is where we see all the endpoints in Swagger UI. And also I am trying to permit ("/calculator-controller/callCalculatorServiceUsingPOST") which I see in browser URL when I click on my end point Try it now button and also permitting ("/calculate") which is in my controller. To be safer, I have tried to permit all possible combinations, but no luck.
What Am I missing ???
#Configuration #EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.cors()
.and()
.authorizeRequests()
.antMatchers("/v2/api-docs").authenticated()
.antMatchers("/calculator-
controller/callCalculatorServiceUsingPOST",
"calculator-controller/**", "/calculate")
.permitAll()
.and()
.httpBasic();
}
}
So my problem is a little different from the rest of the spring boot questions. I want to allow post requests in my security config but only with authentication
here is my config file:
#Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.anyRequest().authenticated()
.and()
.httpBasic();
http.csrf().disable();
}
thanks for helping ;)
You can use antMachers with the following pattern.
antMatchers(HttpMethod.POST)
if you want to authenticate POST method of only certainpath
antMatchers(HttpMethod.POST, "/path")
We have developed our own Authorization Server which we are using for Single Sign on
we developed our client app with the annotation #EnableOAuth2Sso with the following configuration
#Override
protected void configure(HttpSecurity http) throws Exception {
http.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.ALWAYS)
.and()
.antMatcher("/**")
.addFilterBefore(ssoFilter(), BasicAuthenticationFilter.class).authorizeRequests()
.and()
.authorizeRequests()
.antMatchers("/","/login/**","/callback/url/**","/error**","/webjars/**","/favicon.ico**").permitAll()
.anyRequest().authenticated()
.and().formLogin().failureHandler(customAuthenticationFailureHandler)
.and().httpBasic()
.and()
.logout().invalidateHttpSession(true).deleteCookies("JSESSIONID");
it was working fine
but just now I want to use the .oauth2Login() features comes with Spring Security 5 so I changed the annotation to #EnableOAuth2Client from #EnableOAuth2Sso and used the following configuration
#Override
public void configure(HttpSecurity http) throws Exception {
http.antMatcher("/**")
.authorizeRequests()
.anyRequest()
.authenticated()
.and()
.oauth2Login();
}
now while compiling I am getting the following error messages
Description:
Method springSecurityFilterChain in org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration required a bean of type 'org.springframework.security.oauth2.client.registration.ClientRegistrationRepository' that could not be found.
The following candidates were found but could not be injected:
- Bean method 'clientRegistrationRepository' in 'OAuth2ClientRegistrationRepositoryConfiguration' not loaded because OAuth2
Clients Configured Condition registered clients is not available
Action:
Consider revisiting the entries above or defining a bean of type 'org.springframework.security.oauth2.client.registration.ClientRegistrationRepository' in your configuration.
So I changed my application.properties from
security.oauth2.client.auto-approve-scopes=read,write
security.oauth2.client.access-token-uri=http://localhost:8080/xxxxx/oauth/token
security.oauth2.client.user-authorization-uri=http://localhost:8080/xxxxx/oauth/authorize
security.oauth2.client.client-id=xxx
security.oauth2.client.client-secret=secret
security.oauth2.client.pre-established-redirect-uri=http://localhost:11001/xxx/login/oauth2/code
security.oauth2.client.registered-redirect-uri=http://localhost:11001/xxx/login/oauth2/code
security.oauth2.client.useCurrentUri=false
security.oauth2.client.use-current-uri=false
security.oauth2.client.grant-type=authorization_code, refresh_token
to the following
spring.security.oauth2.client.registration.client-id=xxx_client
spring.security.oauth2.client.registration.client-secret=secret
spring.security.oauth2.client.registration.authorization-grant-type=authorization_code,refresh_token
spring.security.oauth2.client.registration.redirect-uri=http://localhost:11001/xxx/login/oauth2/code
spring.security.oauth2.client.registration.scope=read,write
spring.security.oauth2.client.registration.client-name=xxxxx
spring.security.oauth2.client.registration.xxxxx.client-authentication-method=POST
spring.security.oauth2.client.provider.token-uri=http://localhost:8080/xxxxx/oauth/token
spring.security.oauth2.client.provider.authorization-uri=http://localhost:8080/xxxxx/oauth/authorize
spring.security.oauth2.client.provider.user-info-uri=http://localhost:8080/xxxxx/validateLogin
But it displays a welcome page where our authorization server name is shown i.e xxxxx and if I click that link it does not connect to our authorization server.
I have confusion here what is the difference between #EnableOAuth2Sso and #EnableOAuth2Client Why when we use OAuth2Login() we need to change our properties
Is there any good example of using OAuth2Login with Custom Oauth2 provider (instead of google,facebook,okta etc)I searched google but no where any example provided
I have a Spring HttpSecurity configuration as
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS);
http.csrf().disable().httpBasic().and()
.authorizeRequests()
.antMatchers("/public/**").permitAll()
.antMatchers("/secure/**").authenticated()
.antMatchers("/backend/**").authenticated()
.antMatchers(HttpMethod.OPTIONS, "/**").permitAll();
}
It might be stupid for the client to set the Authorization Header for '/public/**' endpoints.
However, I noticed Spring Security attempts to authenticate tries to create an authenticated session for even public requests because the Authorization Header was provided.
Should the HttpSecurity config not override this behaviour?
Answered in the comments:
No it shouldn't... Permit all is something different as not secured at all. For the latter override the 'configure(WebSecurity)' and use the 'ignoring' for no security at all.