I'm working on project with spring boot and Vue, I need to protect my endpoints. The user will have specific role, admin role or typical user role. When I search for tutorials how to configure JWT and spring security I'm getting articles with disabled cors by cors().disable() only . And that's my question.. May I send request from my front Vue app via axios if cors in spring backend is disabled? Is it right approach to disable it? A lot of my requests from api were blocked by cors so I enabled it but I didn't implement user roles and it made me confused what to do now because I have to do it... Another problem is when I implemented httpSecurity.csrf().disable().authorizeRequests().antMatchers("/authenticate", "/register","/login").permitAll(). and tried to call /authenticate from another device in same network then spring blocked it but it shouldn't be blocked.. On the top of controller I have #CrossOrigin(origins="*", maxAge=3600) and #RestController so I don't know why my request is blocked.
Help me please if You have some ideas.
Best regards!
Set this in top of every controller
#CrossOrigin(origins = "*")
#RestController
And set the code in SecuriyConfig as follows. It worked for me.
httpSecurity.cors()
.and()
.csrf()
.disable()
.exceptionHandling()
.authenticationEntryPoint(jwtAuthenticationEntryPoint)
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.antMatchers("/",
"/favicon.ico",
"/**/*.png",
"/**/*.ttf",
"/**/*.woff",
"/**/*.woff2",
"/**/*.gif",
"/**/*.svg",
"/**/*.jpg",
"/**/*.jpeg",
"/**/*.html",
"/**/*.css",
"/**/*.js")
.permitAll()
.antMatchers("/authenticate", "/register","/login")
.permitAll()
.antMatchers(HttpMethod.OPTIONS, "/**")
.permitAll()
.anyRequest()
.authenticated();
Related
I followed the article Using Custom Authentication Provider Spring Security adding a custom authentication provider in Spring Security.
I found that if I POST to /login, it is redirected to /login.
My custom Authentication Provider's authenticate() is not called.
Even if I use Spring Security's TestingAuthenticationProvider, POST to /login still get redirected to /login.
Is there some thing wrong with my WebSecurityConfigure? This is my configure.
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/", "/webjars/**").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.permitAll()
.and()
.logout()
.permitAll();
}
I use Spring Boot. Do I need to modify the application.properties file? Is there any working sample project on using custom authentication provider?
Have you tried using
http.authorizeRequests()
.antMatchers("/", "/webjars/**").permitAll()
.anyRequest().authenticated()
.and()
.httpBasic();
in your WebSecurityConfigure?
You will get a generated login-window that is using your CustomAuthenticationProvider as soon as you are trying to call a page you have not included in
.antMatchers("/", "/webjars/**").permitAll().
I have Auth server with OAuth support with #EnableResourceServer.
App configuration
Security configuration
Authorization server
I can GET to /login and fill form.
When i sent POST to /login, i have 401
Error after POST /login
You might get help from my leaning experiment. I was also facing the same issue and adding HttpMethod.POST in antMatchers helped me and you should use .authorizeRequests() at the beginnings
http
.csrf().disable()
.authorizeRequests().antMatchers("/login","/home","/failure").permitAll()
.antMatchers(HttpMethod.POST,"/admin/**").hasRole("ADMIN")
.antMatchers(HttpMethod.PUT,"/admin/**").hasRole("ADMIN")
.antMatchers(HttpMethod.GET,"/admin/**").hasRole("ADMIN")
.antMatchers(HttpMethod.GET,"/user/**").hasAnyRole("ADMIN","USER")
.antMatchers(HttpMethod.POST,"/user/**").hasAnyRole("ADMIN","USER")
.anyRequest().authenticated()
.and()
.exceptionHandling().accessDeniedPage("/403")
.and()
.formLogin()
.loginPage("/login")
.loginProcessingUrl("/login")
.usernameParameter("email")
.passwordParameter("password")
.defaultSuccessUrl("/home",true)
.failureUrl("/failure")
.and()
.logout().logoutUrl("/logout").permitAll();
I want to have a homepage followed by login page,Since the login page is not authorised the page becomes UnSecured as per my understanding.The code for this as below:
Home.html
<h2>1. Visit <a th:href="#{/admin}">Admin page (Spring Security protected, Need Admin Role)</a></h2>`enter code here`
<h2>2. Visit <a th:href="#{/user}">User page (Spring Security protected, Need User Role)</a></h2>
<h2>3. Visit <a th:href="#{/about}">Normal page</a></h2>
Here the login page will become unsecured because it is not authorised by spring boot security.How can I tackle the below scenario
http.csrf().disable()
.authorizeRequests()
.antMatchers("/", "/home", "/about").permitAll()
.antMatchers("/admin/**").hasAnyRole("ADMIN")
.antMatchers("/user/**").hasAnyRole("USER")
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.permitAll()
.and()
.logout()
.permitAll()
.and()
.exceptionHandling().accessDeniedHandler(accessDeniedHandler);
'
Please help.Is this possible using Spring Boot Security using the above method?
I solved this issue by setting the following properties in application.properties
server.use-forward-headers=true
I'm using Spring Security 5.0.4 with Spring Boot 2.0.1
I have a working security configuration:
http
.csrf().disable()
.authorizeRequests()
.antMatchers("/", "/index.html", "/#", "/reader.html").permitAll()
.antMatchers("/favicon.ico").permitAll()
.antMatchers("/app/**", "/assets/**", "/translations/**", "/vendor/**").permitAll()
.antMatchers("/login**").permitAll()
.anyRequest().authenticated() // everything else needs authentication
.and()
.formLogin()
.loginPage("/login")
.loginProcessingUrl("/login")
.usernameParameter("username")
.passwordParameter("password")
.permitAll()
.and()
.logout()
.logoutUrl("/logout")
.permitAll();
It works as expected: When I provide good credentials I'm logged in, it forwards me to /index.html. When I provide bad credentials, it forwards me back to /login with ?error query param.
But, if I complete it with a custom failureForwardUrl() or successForwardUrl() for example:
.formLogin()
.loginPage("/login")
.loginProcessingUrl("/login")
.usernameParameter("username")
.passwordParameter("password")
.successForwardUrl("/home")
.failureForwardUrl("/login?fail=true")
.permitAll()
it behaves strangely.
If I provide bad credentials, it forwards me back to /login without any query parameters. If I provide good credentials, then I receive a HTTP 405 Method Not Allowed status (POST to /login)
This configuration worked in Spring Security 4.x.
What could be the problem? Thanks!
I figured out that I mixed up .failureUrl("/login?error") with .failureForwardUrl("/login?error"). Facepalm.
I have a very simple spring boot application, which is secured by the following code:
http.authorizeRequests()
.antMatchers("/admin/**").access("hasRole('ROLE_ADMIN')")
.and()
.formLogin().loginPage("/login").failureUrl("/login?error")
.usernameParameter("username").passwordParameter("password")
.and()
.logout().logoutSuccessUrl("/login?logout")
.and()
.exceptionHandling().accessDeniedPage("/403");
the idea is to secure "admin" portion. It exposes a REST API.
The problem is all the POSTS returns
405 Method Not Allowed
If I remove the security starter from the application, it works. This makes me believe that the security configuration is the problem. But I cannot find out how.
This should be easy.
POSTs and PUT requests would not be allowed if CSRF is enabled,and spring boot enables those by default.
Just add this to your configuration code :
.csrf().disable()
that is :
http.
.csrf().disable().
authorizeRequests()
.antMatchers("/admin/**").access("hasRole('ROLE_ADMIN')")
.and()
.formLogin().loginPage("/login").failureUrl("/login?error")
.usernameParameter("username").passwordParameter("password")
.and()
.logout().logoutSuccessUrl("/login?logout")
.and()
.exceptionHandling().accessDeniedPage("/403");
Refer docs ,if you need to enable CSRF :
http://docs.spring.io/spring-security/site/docs/4.0.x/reference/htmlsingle/#csrf-configure
This can also happen if using Spring Security SAML extension and your SAMLUserDetailsService returns a UsernameNotFoundException. Seems pretty counter-intuitive, but that's what it does by default (in my experience).