Develop Reference

AccessDeniedException: Access is denied while trying to login OAuth2.0 login form

I have been struggling for days to login and access protected API using OAuth2.0 protocol. I use latest Spring libraries (Spring Security 5). I think I have a problem in Authorization server. So, I will share all codes here:
Configuration File:
#Configuration(proxyBeanMethods = false)
public class AuthorizationServerConfig {
#Autowired
private PasswordEncoder passwordEncoder;
#Bean
#Order(Ordered.HIGHEST_PRECEDENCE)
public SecurityFilterChain authSecurityFilterChain(HttpSecurity httpSecurity) throws Exception {
OAuth2AuthorizationServerConfiguration.applyDefaultSecurity(httpSecurity);
return httpSecurity.formLogin(Customizer.withDefaults()).build();
}
#Bean
public RegisteredClientRepository registeredClientRepository() {
RegisteredClient registeredClient = RegisteredClient.withId(UUID.randomUUID().toString())
.clientId("client-application")
.clientSecret(passwordEncoder.encode("secret"))
.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
.authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
.authorizationGrantType(AuthorizationGrantType.REFRESH_TOKEN)
.authorizationGrantType(AuthorizationGrantType.CLIENT_CREDENTIALS)
.redirectUri("http://localhost:8000/login/oauth2/code/client-oidc")
.redirectUri("http://localhost:8000/authorized")
.scope(OidcScopes.OPENID)
.scope("READ")
.clientSettings(ClientSettings.builder().requireAuthorizationConsent(true).build())
.build();
return new InMemoryRegisteredClientRepository(registeredClient);
}
#Bean
public JwtDecoder jwtDecoder(JWKSource<SecurityContext> jwkSource) {
return OAuth2AuthorizationServerConfiguration.jwtDecoder(jwkSource);
}
#Bean
public JWKSource<SecurityContext> jwkSource() {
RSAKey rsaKey = generateRsa();
JWKSet jwkSet = new JWKSet(rsaKey);
return ((jwkSelector, securityContext) -> jwkSelector.select(jwkSet));
}
...
Another configuration file:
#EnableWebSecurity
public class DefaultSecurityConfig {
#Autowired
private CustomAuthenticationProvider customAuthenticationProvider;
#Bean
#Order
public SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http) throws Exception {
http.cors()
.and()
.csrf().disable()
.headers().frameOptions().sameOrigin()
.and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests(authorizeRequests ->
authorizeRequests.anyRequest().authenticated()
)
.formLogin(Customizer.withDefaults());
return http.build();
}
#Autowired
public void bindAuthenticationProvider(AuthenticationManagerBuilder authenticationManagerBuilder) {
authenticationManagerBuilder.authenticationProvider(customAuthenticationProvider);
}
application.properties:
server:
port: 9000
And I have a client application:
#EnableWebSecurity
public class SecurityConfig {
#Bean
SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http.authorizeRequests(authorizeRequests ->
authorizeRequests.anyRequest().authenticated())
.oauth2Login(oauth2Login ->
oauth2Login.loginPage("/oauth2/authorization/client-oidc"))
.oauth2Client(withDefaults());
return http.build();
}
}
application.yml file:
spring:
security:
oauth2:
client:
registration:
client-oidc:
provider: spring
client-id: client-application
client-secret: secret
authorization-grant-type: authorization_code
redirect-uri: "http://localhost:8000/login/oauth2/code/{registrationId}"
scope: openid
client-name: client-oidc
client-authorization-code:
provider: spring
client-id: client-application
client-secret: secret
authorization-grant-type: authorization_code
redirect-uri: "http://localhost:8000/authorized"
scope: READ
client-name: client-authorization-code
provider:
spring:
issuer-uri: http://auth-server:9000
I try to access protected API, I am redirected to login page. I enter username and password but in case of error, I go back to login page again.
The error is "Access is denied" but I am sure I enter correct information.
Here are the console output:
2022-07-16 22:52:54.487 DEBUG 96347 --- [nio-8000-exec-1] o.s.security.web.FilterChainProxy : Securing GET /articles
2022-07-16 22:52:54.487 TRACE 96347 --- [nio-8000-exec-1] o.s.security.web.FilterChainProxy : Invoking DisableEncodeUrlFilter (1/16)
2022-07-16 22:52:54.489 TRACE 96347 --- [nio-8000-exec-1] o.s.security.web.FilterChainProxy : Invoking WebAsyncManagerIntegrationFilter (2/16)
2022-07-16 22:52:54.490 TRACE 96347 --- [nio-8000-exec-1] o.s.security.web.FilterChainProxy : Invoking SecurityContextPersistenceFilter (3/16)
2022-07-16 22:52:54.490 TRACE 96347 --- [nio-8000-exec-1] w.c.HttpSessionSecurityContextRepository : No HttpSession currently exists
2022-07-16 22:52:54.490 TRACE 96347 --- [nio-8000-exec-1] w.c.HttpSessionSecurityContextRepository : Created SecurityContextImpl [Null authentication]
2022-07-16 22:52:54.491 DEBUG 96347 --- [nio-8000-exec-1] s.s.w.c.SecurityContextPersistenceFilter : Set SecurityContextHolder to empty SecurityContext
2022-07-16 22:52:54.491 TRACE 96347 --- [nio-8000-exec-1] o.s.security.web.FilterChainProxy : Invoking HeaderWriterFilter (4/16)
2022-07-16 22:52:54.491 TRACE 96347 --- [nio-8000-exec-1] o.s.security.web.FilterChainProxy : Invoking CsrfFilter (5/16)
2022-07-16 22:52:54.492 TRACE 96347 --- [nio-8000-exec-1] o.s.security.web.csrf.CsrfFilter : Did not protect against CSRF since request did not match CsrfNotRequired [TRACE, HEAD, GET, OPTIONS]
2022-07-16 22:52:54.492 TRACE 96347 --- [nio-8000-exec-1] o.s.security.web.FilterChainProxy : Invoking LogoutFilter (6/16)
2022-07-16 22:52:54.492 TRACE 96347 --- [nio-8000-exec-1] o.s.s.w.a.logout.LogoutFilter : Did not match request to Ant [pattern='/logout', POST]
2022-07-16 22:52:54.493 TRACE 96347 --- [nio-8000-exec-1] o.s.security.web.FilterChainProxy : Invoking OAuth2AuthorizationRequestRedirectFilter (7/16)
2022-07-16 22:52:54.493 TRACE 96347 --- [nio-8000-exec-1] o.s.security.web.FilterChainProxy : Invoking OAuth2AuthorizationRequestRedirectFilter (8/16)
2022-07-16 22:52:54.493 TRACE 96347 --- [nio-8000-exec-1] o.s.security.web.FilterChainProxy : Invoking OAuth2LoginAuthenticationFilter (9/16)
2022-07-16 22:52:54.493 TRACE 96347 --- [nio-8000-exec-1] o.s.security.web.FilterChainProxy : Invoking RequestCacheAwareFilter (10/16)
2022-07-16 22:52:54.493 TRACE 96347 --- [nio-8000-exec-1] o.s.s.w.s.HttpSessionRequestCache : No saved request
2022-07-16 22:52:54.493 TRACE 96347 --- [nio-8000-exec-1] o.s.security.web.FilterChainProxy : Invoking SecurityContextHolderAwareRequestFilter (11/16)
2022-07-16 22:52:54.494 TRACE 96347 --- [nio-8000-exec-1] o.s.security.web.FilterChainProxy : Invoking AnonymousAuthenticationFilter (12/16)
2022-07-16 22:52:54.497 TRACE 96347 --- [nio-8000-exec-1] o.s.s.w.a.AnonymousAuthenticationFilter : Set SecurityContextHolder to AnonymousAuthenticationToken [Principal=anonymousUser, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=0:0:0:0:0:0:0:1, SessionId=null], Granted Authorities=[ROLE_ANONYMOUS]]
2022-07-16 22:52:54.498 TRACE 96347 --- [nio-8000-exec-1] o.s.security.web.FilterChainProxy : Invoking OAuth2AuthorizationCodeGrantFilter (13/16)
2022-07-16 22:52:54.499 TRACE 96347 --- [nio-8000-exec-1] o.s.security.web.FilterChainProxy : Invoking SessionManagementFilter (14/16)
2022-07-16 22:52:54.499 DEBUG 96347 --- [nio-8000-exec-1] o.s.s.w.session.SessionManagementFilter : Request requested invalid session id E0B30836EC2E93B18880548260904FB0
2022-07-16 22:52:54.499 TRACE 96347 --- [nio-8000-exec-1] o.s.security.web.FilterChainProxy : Invoking ExceptionTranslationFilter (15/16)
2022-07-16 22:52:54.499 TRACE 96347 --- [nio-8000-exec-1] o.s.security.web.FilterChainProxy : Invoking FilterSecurityInterceptor (16/16)
2022-07-16 22:52:54.500 TRACE 96347 --- [nio-8000-exec-1] o.s.s.w.a.i.FilterSecurityInterceptor : Did not re-authenticate AnonymousAuthenticationToken [Principal=anonymousUser, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=0:0:0:0:0:0:0:1, SessionId=null], Granted Authorities=[ROLE_ANONYMOUS]] before authorizing
2022-07-16 22:52:54.500 TRACE 96347 --- [nio-8000-exec-1] o.s.s.w.a.i.FilterSecurityInterceptor : Authorizing filter invocation [GET /articles] with attributes [authenticated]
2022-07-16 22:52:54.507 TRACE 96347 --- [nio-8000-exec-1] o.s.s.w.a.expression.WebExpressionVoter : Voted to deny authorization
2022-07-16 22:52:54.507 TRACE 96347 --- [nio-8000-exec-1] o.s.s.w.a.i.FilterSecurityInterceptor : Failed to authorize filter invocation [GET /articles] with attributes [authenticated] using AffirmativeBased [DecisionVoters=[org.springframework.security.web.access.expression.WebExpressionVoter#1e3f0aea], AllowIfAllAbstainDecisions=false]
2022-07-16 22:52:54.512 TRACE 96347 --- [nio-8000-exec-1] o.s.s.w.a.ExceptionTranslationFilter : Sending AnonymousAuthenticationToken [Principal=anonymousUser, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=0:0:0:0:0:0:0:1, SessionId=null], Granted Authorities=[ROLE_ANONYMOUS]] to authentication entry point since access is denied
org.springframework.security.access.AccessDeniedException: Access is denied
at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:73) ~[spring-security-core-5.7.2.jar:5.7.2]
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.attemptAuthorization(AbstractSecurityInterceptor.java:239) ~[spring-security-core-5.7.2.jar:5.7.2]
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:208) ~[spring-security-core-5.7.2.jar:5.7.2]
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:113) ~[spring-security-web-5.7.2.jar:5.7.2]
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:81) ~[spring-security-web-5.7.2.jar:5.7.2]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) ~[spring-security-web-5.7.2.jar:5.7.2]
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:122) ~[spring-security-web-5.7.2.jar:5.7.2]
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:116) ~[spring-security-web-5.7.2.jar:5.7.2]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) ~[spring-security-web-5.7.2.jar:5.7.2]
at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:126) ~[spring-security-web-5.7.2.jar:5.7.2]
at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:81) ~[spring-security-web-5.7.2.jar:5.7.2]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) ~[spring-security-web-5.7.2.jar:5.7.2]
at org.springframework.security.oauth2.client.web.OAuth2AuthorizationCodeGrantFilter.doFilterInternal(OAuth2AuthorizationCodeGrantFilter.java:168) ~[spring-security-oauth2-client-5.7.2.jar:5.7.2]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) ~[spring-web-5.3.21.jar:5.3.21]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) ~[spring-security-web-5.7.2.jar:5.7.2]
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:109) ~[spring-security-web-5.7.2.jar:5.7.2]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) ~[spring-security-web-5.7.2.jar:5.7.2]
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:149) ~[spring-security-web-5.7.2.jar:5.7.2]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) ~[spring-security-web-5.7.2.jar:5.7.2]
at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63) ~[spring-security-web-5.7.2.jar:5.7.2]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) ~[spring-security-web-5.7.2.jar:5.7.2]
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:223) ~[spring-security-web-5.7.2.jar:5.7.2]
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:217) ~[spring-security-web-5.7.2.jar:5.7.2]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) ~[spring-security-web-5.7.2.jar:5.7.2]
at org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestRedirectFilter.doFilterInternal(OAuth2AuthorizationRequestRedirectFilter.java:178) ~[spring-security-oauth2-client-5.7.2.jar:5.7.2]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) ~[spring-web-5.3.21.jar:5.3.21]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) ~[spring-security-web-5.7.2.jar:5.7.2]
at org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestRedirectFilter.doFilterInternal(OAuth2AuthorizationRequestRedirectFilter.java:178) ~[spring-security-oauth2-client-5.7.2.jar:5.7.2]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) ~[spring-web-5.3.21.jar:5.3.21]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) ~[spring-security-web-5.7.2.jar:5.7.2]
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:103) ~[spring-security-web-5.7.2.jar:5.7.2]
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:89) ~[spring-security-web-5.7.2.jar:5.7.2]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) ~[spring-security-web-5.7.2.jar:5.7.2]
at org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:117) ~[spring-security-web-5.7.2.jar:5.7.2]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) ~[spring-web-5.3.21.jar:5.3.21]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) ~[spring-security-web-5.7.2.jar:5.7.2]
at org.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:90) ~[spring-security-web-5.7.2.jar:5.7.2]
at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:75) ~[spring-security-web-5.7.2.jar:5.7.2]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) ~[spring-web-5.3.21.jar:5.3.21]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) ~[spring-security-web-5.7.2.jar:5.7.2]
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:112) ~[spring-security-web-5.7.2.jar:5.7.2]
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:82) ~[spring-security-web-5.7.2.jar:5.7.2]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) ~[spring-security-web-5.7.2.jar:5.7.2]
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:55) ~[spring-security-web-5.7.2.jar:5.7.2]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) ~[spring-web-5.3.21.jar:5.3.21]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) ~[spring-security-web-5.7.2.jar:5.7.2]
at org.springframework.security.web.session.DisableEncodeUrlFilter.doFilterInternal(DisableEncodeUrlFilter.java:42) ~[spring-security-web-5.7.2.jar:5.7.2]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) ~[spring-web-5.3.21.jar:5.3.21]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) ~[spring-security-web-5.7.2.jar:5.7.2]
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:211) ~[spring-security-web-5.7.2.jar:5.7.2]
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:183) ~[spring-security-web-5.7.2.jar:5.7.2]
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:354) ~[spring-web-5.3.21.jar:5.3.21]
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:267) ~[spring-web-5.3.21.jar:5.3.21]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) ~[tomcat-embed-core-9.0.64.jar:9.0.64]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) ~[tomcat-embed-core-9.0.64.jar:9.0.64]
at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100) ~[spring-web-5.3.21.jar:5.3.21]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) ~[spring-web-5.3.21.jar:5.3.21]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) ~[tomcat-embed-core-9.0.64.jar:9.0.64]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) ~[tomcat-embed-core-9.0.64.jar:9.0.64]
at org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93) ~[spring-web-5.3.21.jar:5.3.21]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) ~[spring-web-5.3.21.jar:5.3.21]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) ~[tomcat-embed-core-9.0.64.jar:9.0.64]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) ~[tomcat-embed-core-9.0.64.jar:9.0.64]
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201) ~[spring-web-5.3.21.jar:5.3.21]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) ~[spring-web-5.3.21.jar:5.3.21]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) ~[tomcat-embed-core-9.0.64.jar:9.0.64]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) ~[tomcat-embed-core-9.0.64.jar:9.0.64]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:197) ~[tomcat-embed-core-9.0.64.jar:9.0.64]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97) ~[tomcat-embed-core-9.0.64.jar:9.0.64]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541) ~[tomcat-embed-core-9.0.64.jar:9.0.64]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:135) ~[tomcat-embed-core-9.0.64.jar:9.0.64]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) ~[tomcat-embed-core-9.0.64.jar:9.0.64]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78) ~[tomcat-embed-core-9.0.64.jar:9.0.64]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:360) ~[tomcat-embed-core-9.0.64.jar:9.0.64]
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:399) ~[tomcat-embed-core-9.0.64.jar:9.0.64]
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) ~[tomcat-embed-core-9.0.64.jar:9.0.64]
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:890) ~[tomcat-embed-core-9.0.64.jar:9.0.64]
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1787) ~[tomcat-embed-core-9.0.64.jar:9.0.64]
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) ~[tomcat-embed-core-9.0.64.jar:9.0.64]
at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191) ~[tomcat-embed-core-9.0.64.jar:9.0.64]
at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) ~[tomcat-embed-core-9.0.64.jar:9.0.64]
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) ~[tomcat-embed-core-9.0.64.jar:9.0.64]
at java.base/java.lang.Thread.run(Thread.java:829) ~[na:na]
2022-07-16 22:52:54.536 DEBUG 96347 --- [nio-8000-exec-1] o.s.s.w.s.HttpSessionRequestCache : Saved request http://localhost:8000/articles to session
2022-07-16 22:52:54.536 DEBUG 96347 --- [nio-8000-exec-1] o.s.s.web.DefaultRedirectStrategy : Redirecting to http://localhost:8000/oauth2/authorization/client-oidc
I was being logged in the past, but I probably changed some parts and now it is broken and I can not fix the error. What might be the cause? Why I am getting "AccessDeniedException"?? From AuthenticationProvider, UsernamePasswordAuthenticationToken is created. Thanks..

If you intent to correct your Authorization server, change a little bit of your class and method level annotations like below:
#Configuration(proxyBeanMethods = false)
#EnableWebSecurity
public class DefaultSecurityConfig {
#Bean
#Order(Ordered.HIGHEST_PRECEDENCE + 1)
public SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http)
throws Exception {
// .........
}
}
It seems every thing looks ok just change
SessionCreationPolicy.STATELESS to SessionCreationPolicy.IF_REQUIRED. Because Spring Security creates some session and interact with it. By default, “IF_REQUIRED“.
Run your Server and hit the URL:
http://localhost:9000/oauth2/authorize?client_id=your_client_id&redirect_uri=your_redirect_uri&scope=openid&response_type=code&response_mode=query

Actually, latest spring-security version is 6.0.0 (goes with spring-boot 3).
Be sure to configure your REST API with spring-boot-starter-oauth2-resource-server (not spring-boot-starter-oauth2-client). If you have a doubt, follow those tutorials. It is designed for Keycloak but switching to any other OIDC authorization-server is mostly a matter of editing properties.
If you have server-side rendered UI elements (with Thymeleaf, JSF or whatever) in addition to REST endpoints, create an additional client SecurityFilterChain limited to those UI resources. Spring generated OAuth2 login is part of those UI resources. Be aware that this filter-chain will require sessions (and CSRF protection). Also note that you should use oauth2Login only if you have other server-side rendered UI (rich clients like Angular, React, Vue, Flutter, etc. should use an OIDC client library and handle login & requests authorization by them self). Samples of a second security filter-chain in this answer and that tutorial.
I'd advise you start with a more complete OIDC authorization-server implementation than Spring's one (either on premise like Keycloak or SaaS like Auth0, Okta, Amazon Cognito, and many more). You'll avoid some dangerous miss configurations and save quite some effort: user management screens, registration forms, user database, connectors to LDAP, social login, multi-factor authentication and many more useful features are provided with such solutions and it makes no difference from the resource-server point of view (your REST API).
Edit: disclosure
I am the author of quite a few stackoverflow answers about "OAuth2 spring" and "Keycloak spring" answers (including the one I link here).
I also wrote:
the tutorials I link
spring-security-test support for OAuth2 (MockMvc post processors and web test client mutator)
the support for authentication converter configuration for resource-servers with token introspection in spring-security and Spring-boot
a lib with #WithMockUser equivalents for OAuth2 (only annotations enable to test secured with #PreAuthorize and #PostFilter #service and #Repository)
thin wrappers arround spring-boot-starter-oauth2-resource-server to move most configuration to properties file (including role mapping and fine grained CORS conf)

Keycloak Spring Multitenant Null Pointer Exception

Source Code from : https://github.com/ineat/spring-keycloak-multitenant
Started Keycloak and added realms as instructed in the readme file.
Updated the Keycloak Json codes at respective places.
Started Spring Project.
Got the Following Exceptions upon calling "http://localhost:8081/multitenant" :
2019-03-20 18:34:28.195 ERROR 25640 --- [nio-8081-exec-1]
o.a.c.c.C.[Tomcat].[localhost] : Exception Processing
/multitenant
2019-03-20 18:34:28.248 ERROR 25640 --- [nio-8081-exec-1]
o.a.c.c.C.[.[.[/].[dispatcherServlet] : Servlet.service() for
servlet [dispatcherServlet] threw exception
2019-03-20 18:34:28.249 ERROR 25640 --- [nio-8081-exec-1]
o.a.c.c.C.[Tomcat].[localhost] : Exception Processing
ErrorPage[errorCode=0, location=/error]
2019-03-20 18:34:28.251 ERROR 25640 --- [nio-8081-exec-1]
o.a.c.c.C.[.[.[/].[dispatcherServlet] : Servlet.service() for
servlet [dispatcherServlet] threw exception
2019-03-20 18:34:28.252 ERROR 25640 --- [nio-8081-exec-1]
o.a.c.c.C.[Tomcat].[localhost] : Exception Processing
ErrorPage[errorCode=0, location=/error]
2019-03-20 18:34:28.506 ERROR 25640 --- [nio-8081-exec-2]
o.a.c.c.C.[Tomcat].[localhost] : Exception Processing
/favicon.ico
2019-03-20 18:34:28.511 ERROR 25640 --- [nio-8081-exec-2]
o.a.c.c.C.[.[.[/].[dispatcherServlet] : Servlet.service() for
servlet [dispatcherServlet] threw exception
2019-03-20 18:34:28.512 ERROR 25640 --- [nio-8081-exec-2]
o.a.c.c.C.[Tomcat].[localhost] : Exception Processing
ErrorPage[errorCode=0, location=/error]
2019-03-20 18:34:28.514 ERROR 25640 --- [nio-8081-exec-2]
o.a.c.c.C.[.[.[/].[dispatcherServlet] : Servlet.service() for
servlet [dispatcherServlet] threw exception
2019-03-20 18:34:28.515 ERROR 25640 --- [nio-8081-exec-2]
o.a.c.c.C.[Tomcat].[localhost] : Exception Processing
ErrorPage[errorCode=0, location=/error]
java.lang.NullPointerException: null at
java.util.concurrent.ConcurrentHashMap.get(ConcurrentHashMap.java:936)
~[na:1.8.0_191] at
java.util.concurrent.ConcurrentHashMap.containsKey(ConcurrentHashMap.java:964)
~[na:1.8.0_191] at
com.ineat.spring.keycloak.multitenant.HeaderBasedConfigResolver.resolve(HeaderBasedConfigResolver.java:21)
~[classes/:na] at
org.keycloak.adapters.AdapterDeploymentContext.resolveDeployment(AdapterDeploymentContext.java:88)
~[keycloak-adapter-core-4.4.0.Final.jar:4.4.0.Final] at
org.keycloak.adapters.PreAuthActionsHandler.preflightCors(PreAuthActionsHandler.java:107)
~[keycloak-adapter-core-4.4.0.Final.jar:4.4.0.Final] at
org.keycloak.adapters.PreAuthActionsHandler.handleRequest(PreAuthActionsHandler.java:79)
~[keycloak-adapter-core-4.4.0.Final.jar:4.4.0.Final] at
org.keycloak.adapters.springsecurity.filter.KeycloakPreAuthActionsFilter.doFilter(KeycloakPreAuthActionsFilter.java:81)
~[keycloak-spring-security-adapter-4.4.0.Final.jar:4.4.0.Final] at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
~[spring-security-web-5.0.9.RELEASE.jar:5.0.9.RELEASE] at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101)
~[spring-web-5.0.10.RELEASE.jar:5.0.10.RELEASE] at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
~[spring-security-web-5.0.9.RELEASE.jar:5.0.9.RELEASE] at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101)
~[spring-web-5.0.10.RELEASE.jar:5.0.10.RELEASE] at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
~[spring-security-web-5.0.9.RELEASE.jar:5.0.9.RELEASE] at
org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)
~[spring-security-web-5.0.9.RELEASE.jar:5.0.9.RELEASE] at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
~[spring-security-web-5.0.9.RELEASE.jar:5.0.9.RELEASE] at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101)
~[spring-web-5.0.10.RELEASE.jar:5.0.10.RELEASE] at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
~[spring-security-web-5.0.9.RELEASE.jar:5.0.9.RELEASE] at
org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215)
~[spring-security-web-5.0.9.RELEASE.jar:5.0.9.RELEASE] at
org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178)
~[spring-security-web-5.0.9.RELEASE.jar:5.0.9.RELEASE] at
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:357)
~[spring-web-5.0.10.RELEASE.jar:5.0.10.RELEASE] at
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:270)
~[spring-web-5.0.10.RELEASE.jar:5.0.10.RELEASE] at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
~[tomcat-embed-core-8.5.34.jar:8.5.34] at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
~[tomcat-embed-core-8.5.34.jar:8.5.34] at
org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:728)
~[tomcat-embed-core-8.5.34.jar:8.5.34] at
org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:472)
~[tomcat-embed-core-8.5.34.jar:8.5.34] at
org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:395)
~[tomcat-embed-core-8.5.34.jar:8.5.34] at
org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:316)
~[tomcat-embed-core-8.5.34.jar:8.5.34] at
org.apache.catalina.core.StandardHostValve.custom(StandardHostValve.java:395)
[tomcat-embed-core-8.5.34.jar:8.5.34] at
org.apache.catalina.core.StandardHostValve.status(StandardHostValve.java:254)
[tomcat-embed-core-8.5.34.jar:8.5.34] at
org.apache.catalina.core.StandardHostValve.throwable(StandardHostValve.java:349)
[tomcat-embed-core-8.5.34.jar:8.5.34] at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:175)
[tomcat-embed-core-8.5.34.jar:8.5.34] at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
[tomcat-embed-core-8.5.34.jar:8.5.34] at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
[tomcat-embed-core-8.5.34.jar:8.5.34] at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
[tomcat-embed-core-8.5.34.jar:8.5.34] at
org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:800)
[tomcat-embed-core-8.5.34.jar:8.5.34] at
org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
[tomcat-embed-core-8.5.34.jar:8.5.34] at
org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:806)
[tomcat-embed-core-8.5.34.jar:8.5.34] at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1498)
[tomcat-embed-core-8.5.34.jar:8.5.34] at
org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
[tomcat-embed-core-8.5.34.jar:8.5.34] at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
[na:1.8.0_191] at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
[na:1.8.0_191] at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
[tomcat-embed-core-8.5.34.jar:8.5.34] at
java.lang.Thread.run(Thread.java:748) [na:1.8.0_191]
Please advice if there's any more configurations to be made/any errors i should fix.
Thanks in advance.

The spring-boot application you mentioned resolves and loads keycloak configuration for multi tenant based on header field i.e "realm: ORGA1".
but not sure why you are calling http://localhost:8081/multitenant
You are supposed to get token for the required tenant and then called the API by passing the right tenant in header of the request

Spring boot 2 client unable to parse header

I'm getting the below error while booting the client application in Spring Boot 2.
> 2018-08-24 12:26:15.689 DEBUG 19212 --- [nio-8001-exec-2]
> o.a.tomcat.util.net.SocketWrapperBase : Socket:
> [org.apache.tomcat.util.net.NioEndpoint$NioSocketWrapper#67c796:org.apache.tomcat.util.net.NioChannel#a9face6:java.nio.channels.SocketChannel[connected
> local=/ipaddress:8001 remote=/ipaddress:57886]], Read from buffer: [0]
> 2018-08-24 12:26:15.689 DEBUG 19212 --- [nio-8001-exec-2]
> o.apache.coyote.http11.Http11Processor : Error parsing HTTP request
> header
>
> java.io.EOFException: null at
> org.apache.tomcat.util.net.NioEndpoint$NioSocketWrapper.fillReadBuffer(NioEndpoint.java:1259)
> ~[tomcat-embed-core-8.5.31.jar:8.5.31] at
> org.apache.tomcat.util.net.NioEndpoint$NioSocketWrapper.read(NioEndpoint.java:1193)
> ~[tomcat-embed-core-8.5.31.jar:8.5.31] at
> org.apache.coyote.http11.Http11InputBuffer.fill(Http11InputBuffer.java:725)
> ~[tomcat-embed-core-8.5.31.jar:8.5.31] at
> org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:368)
> ~[tomcat-embed-core-8.5.31.jar:8.5.31] at
> org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:687)
> ~[tomcat-embed-core-8.5.31.jar:8.5.31] at
> org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
> [tomcat-embed-core-8.5.31.jar:8.5.31] at
> org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:790)
> [tomcat-embed-core-8.5.31.jar:8.5.31] at
> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1468)
> [tomcat-embed-core-8.5.31.jar:8.5.31] at
> org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
> [tomcat-embed-core-8.5.31.jar:8.5.31] at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
> [na:1.8.0_161] at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
> [na:1.8.0_161] at
> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
> [tomcat-embed-core-8.5.31.jar:8.5.31] at
> java.lang.Thread.run(Thread.java:748) [na:1.8.0_161]
Here is my client application.properties:
<!-- language: none -->
server.port=8001
spring.boot.admin.client.url=localhost:9001
management.endpoints.web.exposure.include=*
spring.boot.admin.client.username=admin
spring.boot.admin.client.password=admin
client.user.name=client
client.user.password=client
logging.file=relay-api.log
Here is my security config class
#Configuration
#EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
#Autowired
private AuthenticationEntryPoint authEntryPoint;
#Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
http.headers().httpStrictTransportSecurity().disable();
// All requests send to the Web Server request must be authenticated
http.authorizeRequests().anyRequest().authenticated();
// Use AuthenticationEntryPoint to authenticate user/password
http.httpBasic().authenticationEntryPoint(authEntryPoint);
}
#Bean
public BCryptPasswordEncoder passwordEncoder() {
BCryptPasswordEncoder bCryptPasswordEncoder = new BCryptPasswordEncoder();
return bCryptPasswordEncoder;
}
#Value("${client.user.name}")
private String username;
#Value("${client.user.password}")
private String password;
#Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
String encrytedPassword = this.passwordEncoder().encode(password);
System.out.println("Encoded password " + encrytedPassword);
InMemoryUserDetailsManagerConfigurer<AuthenticationManagerBuilder> //
mngConfig = auth.inMemoryAuthentication();
// Defines 2 users, stored in memory.
// ** Spring BOOT >= 2.x (Spring Security 5.x)
// Spring auto add ROLE_
//UserDetails u1 = User.withUsername("relay-api").password(encrytedPassword).roles("USER").build();
UserDetails u1 = User.withUsername(username).password(encrytedPassword).roles("USER").build();
// UserDetails u2 = User.withUsername(admin).password(encrytedPassword).roles("USER").build();
mngConfig.withUser(u1);
//mngConfig.withUser(u2);
}
}
Here is the exact log which I can see . it is authentication issue but not able to understand what part I am missing
2018-08-24 14:28:17.718 DEBUG 9960 --- [nio-8001-exec-5] o.apache.coyote.http11.Http11Processor : Socket: [org.apache.tomcat.util.net.NioEndpoint$NioSocketWrapper#5721a30a:org.apache.tomcat.util.net.NioChannel#5dd9c87a:java.nio.channels.SocketChannel[connected local=/ip:8001 remote=/ip:60359]], Status in: [OPEN_READ], State out: [CLOSED]
2018-08-24 14:28:17.719 DEBUG 9960 --- [io-8001-exec-13] o.s.security.web.FilterChainProxy : /actuator/mappings at position 4 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
2018-08-24 14:28:17.719 DEBUG 9960 --- [io-8001-exec-13] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', GET]
2018-08-24 14:28:17.719 DEBUG 9960 --- [io-8001-exec-13] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'OPTIONS /actuator/mappings' doesn't match 'GET /logout
2018-08-24 14:28:17.719 DEBUG 9960 --- [io-8001-exec-13] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', POST]
2018-08-24 14:28:17.719 DEBUG 9960 --- [io-8001-exec-13] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'OPTIONS /actuator/mappings' doesn't match 'POST /logout
2018-08-24 14:28:17.719 DEBUG 9960 --- [io-8001-exec-13] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', PUT]
2018-08-24 14:28:17.720 DEBUG 9960 --- [io-8001-exec-13] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'OPTIONS /actuator/mappings' doesn't match 'PUT /logout
2018-08-24 14:28:17.720 DEBUG 9960 --- [io-8001-exec-13] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', DELETE]
2018-08-24 14:28:17.720 DEBUG 9960 --- [io-8001-exec-13] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'OPTIONS /actuator/mappings' doesn't match 'DELETE /logout
2018-08-24 14:28:17.720 DEBUG 9960 --- [io-8001-exec-13] o.s.s.web.util.matcher.OrRequestMatcher : No matches found
2018-08-24 14:28:17.720 DEBUG 9960 --- [io-8001-exec-13] o.s.security.web.FilterChainProxy : /actuator/mappings at position 5 of 11 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
2018-08-24 14:28:17.720 DEBUG 9960 --- [io-8001-exec-13] o.s.security.web.FilterChainProxy : /actuator/mappings at position 6 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2018-08-24 14:28:17.720 DEBUG 9960 --- [io-8001-exec-13] o.s.security.web.FilterChainProxy : /actuator/mappings at position 7 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2018-08-24 14:28:17.720 DEBUG 9960 --- [io-8001-exec-13] o.s.security.web.FilterChainProxy : /actuator/mappings at position 8 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2018-08-24 14:28:17.720 DEBUG 9960 --- [io-8001-exec-13] o.s.s.w.a.AnonymousAuthenticationFilter : Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken#e325ed39: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#ffffa64e: RemoteIpAddress: 172.18.112.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
2018-08-24 14:28:17.720 DEBUG 9960 --- [io-8001-exec-13] o.s.security.web.FilterChainProxy : /actuator/mappings at position 9 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter'
2018-08-24 14:28:17.721 DEBUG 9960 --- [io-8001-exec-13] o.s.security.web.FilterChainProxy : /actuator/mappings at position 10 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2018-08-24 14:28:17.721 DEBUG 9960 --- [io-8001-exec-13] o.s.security.web.FilterChainProxy : /actuator/mappings at position 11 of 11 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2018-08-24 14:28:17.721 DEBUG 9960 --- [io-8001-exec-13] o.s.s.w.a.i.FilterSecurityInterceptor : Secure object: FilterInvocation: URL: /actuator/mappings; Attributes: [authenticated]
2018-08-24 14:28:17.721 DEBUG 9960 --- [io-8001-exec-13] o.s.s.w.a.i.FilterSecurityInterceptor : Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken#e325ed39: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#ffffa64e: RemoteIpAddress: 172.18.112.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
2018-08-24 14:28:17.721 DEBUG 9960 --- [io-8001-exec-13] o.s.s.access.vote.AffirmativeBased : Voter: org.springframework.security.web.access.expression.WebExpressionVoter#49cb8ec1, returned: -1
2018-08-24 14:28:17.721 DEBUG 9960 --- [io-8001-exec-13] o.s.b.a.audit.listener.AuditListener : AuditEvent [timestamp=2018-08-24T08:58:17.721Z, principal=anonymousUser, type=AUTHORIZATION_FAILURE, data={details=org.springframework.security.web.authentication.WebAuthenticationDetails#ffffa64e: RemoteIpAddress: 172.18.112.1; SessionId: null, type=org.springframework.security.access.AccessDeniedException, message=Access is denied}]
2018-08-24 14:28:17.722 DEBUG 9960 --- [io-8001-exec-13] o.s.s.w.a.ExceptionTranslationFilter : Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied
at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:84) ~[spring-security-core-5.0.6.RELEASE.jar:5.0.6.RELEASE]
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:233) ~[spring-security-core-5.0.6.RELEASE.jar:5.0.6.RELEASE]
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:124) ~[spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE]
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:91) ~[spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE]
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:119) ~[spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE]
at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:137) [spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE]
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:111) [spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE]
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:170) [spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE]
at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63) [spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE]
at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilterInternal(BasicAuthenticationFilter.java:158) [spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-5.0.7.RELEASE.jar:5.0.7.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE]
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116) [spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE]
at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:66) [spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-5.0.7.RELEASE.jar:5.0.7.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE]
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105) [spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE]
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56) [spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-5.0.7.RELEASE.jar:5.0.7.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE]
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215) [spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE]
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178) [spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE]
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:357) [spring-web-5.0.7.RELEASE.jar:5.0.7.RELEASE]
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:270) [spring-web-5.0.7.RELEASE.jar:5.0.7.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-embed-core-8.5.31.jar:8.5.31]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-embed-core-8.5.31.jar:8.5.31]
at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99) [spring-web-5.0.7.RELEASE.jar:5.0.7.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-5.0.7.RELEASE.jar:5.0.7.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-embed-core-8.5.31.jar:8.5.31]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-embed-core-8.5.31.jar:8.5.31]
at org.springframework.web.filter.HttpPutFormContentFilter.doFilterInternal(HttpPutFormContentFilter.java:109) [spring-web-5.0.7.RELEASE.jar:5.0.7.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-5.0.7.RELEASE.jar:5.0.7.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-embed-core-8.5.31.jar:8.5.31]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-embed-core-8.5.31.jar:8.5.31]
at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:93) [spring-web-5.0.7.RELEASE.jar:5.0.7.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-5.0.7.RELEASE.jar:5.0.7.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-embed-core-8.5.31.jar:8.5.31]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-embed-core-8.5.31.jar:8.5.31]
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:200) [spring-web-5.0.7.RELEASE.jar:5.0.7.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-5.0.7.RELEASE.jar:5.0.7.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-embed-core-8.5.31.jar:8.5.31]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-embed-core-8.5.31.jar:8.5.31]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198) [tomcat-embed-core-8.5.31.jar:8.5.31]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) [tomcat-embed-core-8.5.31.jar:8.5.31]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:496) [tomcat-embed-core-8.5.31.jar:8.5.31]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140) [tomcat-embed-core-8.5.31.jar:8.5.31]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81) [tomcat-embed-core-8.5.31.jar:8.5.31]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) [tomcat-embed-core-8.5.31.jar:8.5.31]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342) [tomcat-embed-core-8.5.31.jar:8.5.31]
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:803) [tomcat-embed-core-8.5.31.jar:8.5.31]
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) [tomcat-embed-core-8.5.31.jar:8.5.31]
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:790) [tomcat-embed-core-8.5.31.jar:8.5.31]
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1468) [tomcat-embed-core-8.5.31.jar:8.5.31]
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) [tomcat-embed-core-8.5.31.jar:8.5.31]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [na:1.8.0_161]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [na:1.8.0_161]
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-embed-core-8.5.31.jar:8.5.31]
at java.lang.Thread.run(Thread.java:748) [na:1.8.0_161]
Here are the spring boot admin properties :
server.port=9001
#spring.jackson.date-format=com.slb.it.dataplatform.relay.RFC3339DateFormat
#spring.jackson.serialization.WRITE_DATES_AS_TIMESTAMPS=false
## Adding the credentials for spring boot admin login ui
spring.security.user.name=admin
spring.security.user.password=admin
Here is my admin security config class
#Configuration
#EnableWebSecurity
#Order(SecurityProperties.BASIC_AUTH_ORDER)
public static class SecuritySecureConfig extends WebSecurityConfigurerAdapter {
/* private final String adminContextPath;
public SecuritySecureConfig(AdminServerProperties adminServerProperties) {
this.adminContextPath = adminServerProperties.getContextPath();
}*/
#Override
protected void configure(HttpSecurity http) throws Exception {
// #formatter:off
SavedRequestAwareAuthenticationSuccessHandler successHandler = new SavedRequestAwareAuthenticationSuccessHandler();
successHandler.setTargetUrlParameter("redirectTo");
successHandler.setDefaultTargetUrl( "/");
http.headers().httpStrictTransportSecurity().disable();
http.authorizeRequests()
.antMatchers( "/assets/**").permitAll()
.antMatchers( "/login").permitAll()
.anyRequest().authenticated()
.and()
.formLogin().loginPage( "/login").successHandler(successHandler).and()
.logout().logoutUrl( "/logout").and()
.httpBasic().and()
.csrf()
.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
.ignoringAntMatchers(
"/instances",
"/actuator/**"
);
// #formatter:on
}
}

Spring Boot 2 need SSL by default, you should set:
add
server.ssl.enabled=false
in
application.properties

Securing OAuth 2.0 Authorization server using LDAP authentication

Implemented OAuth 2.0 implementation using the below reference and was able to make it.
source code
https://github.com/Baeldung/spring-security-oauth
Tutorial
http://www.baeldung.com/rest-api-spring-oauth2-angularjs
To secure our application more, replaced auth.inMemoryAuthentication() with auth.ldapAuthentication() using embedded ldap by referring to the
https://spring.io/guides/gs/authenticating-ldap/
and our WebSecurityConfigurerAdapter looks like
#Autowired
public void globalUserDetails(final AuthenticationManagerBuilder auth) throws Exception {
auth
.ldapAuthentication()
.userDnPatterns("uid={0},ou=people")
.groupSearchBase("ou=groups")
.contextSource(contextSource())
.passwordCompare()
.passwordEncoder(new LdapShaPasswordEncoder())
.passwordAttribute("userPassword");
}
Now authentication is being successful but throwing the below error message on UI.
This XML file does not appear to have any style information associated with it. The document tree is shown below.
<oauth>
<error_description>
Invalid access token: 51a2f56a-7db6-429e-a180-6b872a2ec521
</error_description>
<error>invalid_token</error>
</oauth>
Also find the stack trace below
2017-08-06 22:45:42.508 DEBUG 13744 --- [nio-8082-exec-2] o.s.jdbc.core.JdbcTemplate : Executing prepared SQL query
2017-08-06 22:45:42.511 DEBUG 13744 --- [nio-8082-exec-2] o.s.jdbc.core.JdbcTemplate : Executing prepared SQL statement [select token_id, token from oauth_access_token where token_id = ?]
2017-08-06 22:45:42.531 DEBUG 13744 --- [nio-8082-exec-2] o.s.jdbc.datasource.DataSourceUtils : Fetching JDBC Connection from DataSource
2017-08-06 22:45:42.532 DEBUG 13744 --- [nio-8082-exec-2] o.s.j.d.DriverManagerDataSource : Creating new JDBC DriverManager Connection to [jdbc:mysql://localhost:3306/auth]
2017-08-06 22:45:43.156 DEBUG 13744 --- [nio-8082-exec-2] o.s.jdbc.datasource.DataSourceUtils : Returning JDBC Connection to DataSource
2017-08-06 22:45:43.166 DEBUG 13744 --- [nio-8082-exec-2] o.s.jdbc.core.JdbcTemplate : Executing prepared SQL query
2017-08-06 22:45:43.166 DEBUG 13744 --- [nio-8082-exec-2] o.s.jdbc.core.JdbcTemplate : Executing prepared SQL statement [select token_id, authentication from oauth_access_token where token_id = ?]
2017-08-06 22:45:43.166 DEBUG 13744 --- [nio-8082-exec-2] o.s.jdbc.datasource.DataSourceUtils : Fetching JDBC Connection from DataSource
2017-08-06 22:45:43.166 DEBUG 13744 --- [nio-8082-exec-2] o.s.j.d.DriverManagerDataSource : Creating new JDBC DriverManager Connection to [jdbc:mysql://localhost:3306/auth]
2017-08-06 22:45:43.185 DEBUG 13744 --- [nio-8082-exec-2] o.a.c.loader.WebappClassLoaderBase : findClass(org.springframework.security.ldap.userdetails.LdapUserDetailsImpl)
2017-08-06 22:45:43.186 DEBUG 13744 --- [nio-8082-exec-2] o.a.c.loader.WebappClassLoaderBase : --> Returning ClassNotFoundException
2017-08-06 22:45:43.187 DEBUG 13744 --- [nio-8082-exec-2] o.a.c.loader.WebappClassLoaderBase : findClass(org.springframework.security.ldap.userdetails$LdapUserDetailsImpl)
2017-08-06 22:45:43.187 DEBUG 13744 --- [nio-8082-exec-2] o.a.c.loader.WebappClassLoaderBase : --> Returning ClassNotFoundException
2017-08-06 22:45:43.188 DEBUG 13744 --- [nio-8082-exec-2] o.s.jdbc.datasource.DataSourceUtils : Returning JDBC Connection to DataSource
2017-08-06 22:45:43.193 WARN 13744 --- [nio-8082-exec-2] o.s.s.o.p.token.store.JdbcTokenStore : Failed to deserialize authentication for 51a2f56a-7db6-429e-a180-6b872a2ec521
java.lang.IllegalArgumentException: java.lang.ClassNotFoundException: org.springframework.security.ldap.userdetails.LdapUserDetailsImpl
at org.springframework.security.oauth2.common.util.SerializationUtils.deserialize(SerializationUtils.java:50) ~[spring-security-oauth2-2.0.14.RELEASE.jar:na]
at org.springframework.security.oauth2.provider.token.store.JdbcTokenStore.deserializeAuthentication(JdbcTokenStore.java:405) [spring-security-oauth2-2.0.14.RELEASE.jar:na]
at org.springframework.security.oauth2.provider.token.store.JdbcTokenStore$3.mapRow(JdbcTokenStore.java:198) ~[spring-security-oauth2-2.0.14.RELEASE.jar:na]
at org.springframework.security.oauth2.provider.token.store.JdbcTokenStore$3.mapRow(JdbcTokenStore.java:196) ~[spring-security-oauth2-2.0.14.RELEASE.jar:na]
at org.springframework.jdbc.core.RowMapperResultSetExtractor.extractData(RowMapperResultSetExtractor.java:93) ~[spring-jdbc-4.3.9.RELEASE.jar:4.3.9.RELEASE]
at org.springframework.jdbc.core.RowMapperResultSetExtractor.extractData(RowMapperResultSetExtractor.java:60) ~[spring-jdbc-4.3.9.RELEASE.jar:4.3.9.RELEASE]
at org.springframework.jdbc.core.JdbcTemplate$1.doInPreparedStatement(JdbcTemplate.java:697) ~[spring-jdbc-4.3.9.RELEASE.jar:4.3.9.RELEASE]
at org.springframework.jdbc.core.JdbcTemplate.execute(JdbcTemplate.java:633) ~[spring-jdbc-4.3.9.RELEASE.jar:4.3.9.RELEASE]
at org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:684) ~[spring-jdbc-4.3.9.RELEASE.jar:4.3.9.RELEASE]
at org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:716) ~[spring-jdbc-4.3.9.RELEASE.jar:4.3.9.RELEASE]
at org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:726) ~[spring-jdbc-4.3.9.RELEASE.jar:4.3.9.RELEASE]
at org.springframework.jdbc.core.JdbcTemplate.queryForObject(JdbcTemplate.java:800) ~[spring-jdbc-4.3.9.RELEASE.jar:4.3.9.RELEASE]
at org.springframework.security.oauth2.provider.token.store.JdbcTokenStore.readAuthentication(JdbcTokenStore.java:195) [spring-security-oauth2-2.0.14.RELEASE.jar:na]
at org.springframework.security.oauth2.provider.token.store.JdbcTokenStore.readAuthentication(JdbcTokenStore.java:188) [spring-security-oauth2-2.0.14.RELEASE.jar:na]
at org.springframework.security.oauth2.provider.token.DefaultTokenServices.loadAuthentication(DefaultTokenServices.java:238) [spring-security-oauth2-2.0.14.RELEASE.jar:na]
at org.springframework.security.oauth2.provider.token.DefaultTokenServices$$FastClassBySpringCGLIB$$5a1f25c.invoke(<generated>) [spring-security-oauth2-2.0.14.RELEASE.jar:na]
at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204) [spring-core-4.3.9.RELEASE.jar:4.3.9.RELEASE]
at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:669) [spring-aop-4.3.9.RELEASE.jar:4.3.9.RELEASE]
at org.springframework.security.oauth2.provider.token.DefaultTokenServices$$EnhancerBySpringCGLIB$$b4290941.loadAuthentication(<generated>) [spring-security-oauth2-2.0.14.RELEASE.jar:na]
at org.springframework.security.oauth2.provider.authentication.OAuth2AuthenticationManager.authenticate(OAuth2AuthenticationManager.java:83) [spring-security-oauth2-2.0.14.RELEASE.jar:na]
at org.springframework.security.oauth2.provider.authentication.OAuth2AuthenticationProcessingFilter.doFilter(OAuth2AuthenticationProcessingFilter.java:150) [spring-security-oauth2-2.0.14.RELEASE.jar:na]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) [spring-security-web-4.2.3.RELEASE.jar:4.2.3.RELEASE]
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116) [spring-security-web-4.2.3.RELEASE.jar:4.2.3.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) [spring-security-web-4.2.3.RELEASE.jar:4.2.3.RELEASE]
at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:64) [spring-security-web-4.2.3.RELEASE.jar:4.2.3.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-4.3.9.RELEASE.jar:4.3.9.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) [spring-security-web-4.2.3.RELEASE.jar:4.2.3.RELEASE]
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105) [spring-security-web-4.2.3.RELEASE.jar:4.2.3.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) [spring-security-web-4.2.3.RELEASE.jar:4.2.3.RELEASE]
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56) [spring-security-web-4.2.3.RELEASE.jar:4.2.3.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-4.3.9.RELEASE.jar:4.3.9.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) [spring-security-web-4.2.3.RELEASE.jar:4.2.3.RELEASE]
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:214) [spring-security-web-4.2.3.RELEASE.jar:4.2.3.RELEASE]
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177) [spring-security-web-4.2.3.RELEASE.jar:4.2.3.RELEASE]
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346) [spring-web-4.3.9.RELEASE.jar:4.3.9.RELEASE]
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262) [spring-web-4.3.9.RELEASE.jar:4.3.9.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-embed-core-8.5.15.jar:8.5.15]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-embed-core-8.5.15.jar:8.5.15]
at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99) [spring-web-4.3.9.RELEASE.jar:4.3.9.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-4.3.9.RELEASE.jar:4.3.9.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-embed-core-8.5.15.jar:8.5.15]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-embed-core-8.5.15.jar:8.5.15]
at org.springframework.web.filter.HttpPutFormContentFilter.doFilterInternal(HttpPutFormContentFilter.java:105) [spring-web-4.3.9.RELEASE.jar:4.3.9.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-4.3.9.RELEASE.jar:4.3.9.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-embed-core-8.5.15.jar:8.5.15]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-embed-core-8.5.15.jar:8.5.15]
at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:81) [spring-web-4.3.9.RELEASE.jar:4.3.9.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-4.3.9.RELEASE.jar:4.3.9.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-embed-core-8.5.15.jar:8.5.15]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-embed-core-8.5.15.jar:8.5.15]
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:197) [spring-web-4.3.9.RELEASE.jar:4.3.9.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-4.3.9.RELEASE.jar:4.3.9.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-embed-core-8.5.15.jar:8.5.15]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-embed-core-8.5.15.jar:8.5.15]
at com.tcs.springhadoop.ResourceApplication.CorsFilter.doFilter(CorsFilter.java:35) [classes/:na]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-embed-core-8.5.15.jar:8.5.15]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-embed-core-8.5.15.jar:8.5.15]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198) [tomcat-embed-core-8.5.15.jar:8.5.15]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) [tomcat-embed-core-8.5.15.jar:8.5.15]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:478) [tomcat-embed-core-8.5.15.jar:8.5.15]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140) [tomcat-embed-core-8.5.15.jar:8.5.15]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:80) [tomcat-embed-core-8.5.15.jar:8.5.15]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) [tomcat-embed-core-8.5.15.jar:8.5.15]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342) [tomcat-embed-core-8.5.15.jar:8.5.15]
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:799) [tomcat-embed-core-8.5.15.jar:8.5.15]
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) [tomcat-embed-core-8.5.15.jar:8.5.15]
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:861) [tomcat-embed-core-8.5.15.jar:8.5.15]
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1455) [tomcat-embed-core-8.5.15.jar:8.5.15]
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) [tomcat-embed-core-8.5.15.jar:8.5.15]
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) [na:1.8.0_141]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) [na:1.8.0_141]
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-embed-core-8.5.15.jar:8.5.15]
at java.lang.Thread.run(Unknown Source) [na:1.8.0_141]
Caused by: java.lang.ClassNotFoundException: org.springframework.security.ldap.userdetails.LdapUserDetailsImpl
at org.springframework.boot.context.embedded.tomcat.TomcatEmbeddedWebappClassLoader.loadClass(TomcatEmbeddedWebappClassLoader.java:52) ~[spring-boot-1.5.4.RELEASE.jar:1.5.4.RELEASE]
at org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1119) ~[tomcat-embed-core-8.5.15.jar:8.5.15]
at org.springframework.util.ClassUtils.forName(ClassUtils.java:250) ~[spring-core-4.3.9.RELEASE.jar:4.3.9.RELEASE]
at org.springframework.core.ConfigurableObjectInputStream.resolveClass(ConfigurableObjectInputStream.java:74) ~[spring-core-4.3.9.RELEASE.jar:4.3.9.RELEASE]
at java.io.ObjectInputStream.readNonProxyDesc(Unknown Source) ~[na:1.8.0_141]
at java.io.ObjectInputStream.readClassDesc(Unknown Source) ~[na:1.8.0_141]
at java.io.ObjectInputStream.readOrdinaryObject(Unknown Source) ~[na:1.8.0_141]
at java.io.ObjectInputStream.readObject0(Unknown Source) ~[na:1.8.0_141]
at java.io.ObjectInputStream.defaultReadFields(Unknown Source) ~[na:1.8.0_141]
at java.io.ObjectInputStream.readSerialData(Unknown Source) ~[na:1.8.0_141]
at java.io.ObjectInputStream.readOrdinaryObject(Unknown Source) ~[na:1.8.0_141]
at java.io.ObjectInputStream.readObject0(Unknown Source) ~[na:1.8.0_141]
at java.io.ObjectInputStream.defaultReadFields(Unknown Source) ~[na:1.8.0_141]
at java.io.ObjectInputStream.readSerialData(Unknown Source) ~[na:1.8.0_141]
at java.io.ObjectInputStream.readOrdinaryObject(Unknown Source) ~[na:1.8.0_141]
at java.io.ObjectInputStream.readObject0(Unknown Source) ~[na:1.8.0_141]
at java.io.ObjectInputStream.readObject(Unknown Source) ~[na:1.8.0_141]
at org.springframework.security.oauth2.common.util.SerializationUtils.deserialize(SerializationUtils.java:43) ~[spring-security-oauth2-2.0.14.RELEASE.jar:na]
2017-08-06 22:56:32.188 DEBUG 13744 --- [nio-8082-exec-3] o.s.jdbc.core.JdbcTemplate : Executing prepared SQL update
2017-08-06 22:56:32.188 DEBUG 13744 --- [nio-8082-exec-3] o.s.jdbc.core.JdbcTemplate : Executing prepared SQL statement [delete from oauth_access_token where token_id = ?]
2017-08-06 22:56:32.188 DEBUG 13744 --- [nio-8082-exec-3] o.s.jdbc.datasource.DataSourceUtils : Fetching JDBC Connection from DataSource
2017-08-06 22:56:32.188 DEBUG 13744 --- [nio-8082-exec-3] o.s.j.d.DriverManagerDataSource : Creating new JDBC DriverManager Connection to [jdbc:mysql://localhost:3306/auth]
2017-08-06 22:56:32.196 DEBUG 13744 --- [nio-8082-exec-3] o.s.jdbc.core.JdbcTemplate : SQL update affected 1 rows
2017-08-06 22:56:32.200 DEBUG 13744 --- [nio-8082-exec-3] o.s.jdbc.datasource.DataSourceUtils : Returning JDBC Connection to DataSource
2017-08-06 22:56:32.200 DEBUG 13744 --- [nio-8082-exec-3] p.a.OAuth2AuthenticationProcessingFilter : Authentication request failed: error="invalid_token", error_description="Invalid access token: f8c3ebb0-5eb0-4170-9437-4d67e2192f37"
2017-08-06 22:56:32.200 DEBUG 13744 --- [nio-8082-exec-3] w.c.HttpSessionSecurityContextRepository : SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
2017-08-06 22:56:32.200 DEBUG 13744 --- [nio-8082-exec-3] s.s.o.p.e.DefaultOAuth2ExceptionRenderer : Written [error="invalid_token", error_description="Invalid access token: f8c3ebb0-5eb0-4170-9437-4d67e2192f37"] as "application/xhtml+xml" using [org.springframework.security.oauth2.http.converter.jaxb.JaxbOAuth2ExceptionMessageConverter#47716661]
2017-08-06 22:56:32.200 DEBUG 13744 --- [nio-8082-exec-3] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
... 72 common frames omitted
Error trace followed by deleting the access token from database. Please guide us to fix the issue. Thanks in advance

Make sure you have the following in your pom.xml
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-ldap</artifactId>
<version>3.1.0.RELEASE</version>
</dependency>
Change to your version of spring.

Multiple spring security configurations for formLogin and basic auth

I have a web application with the standard form login authentication and I'm trying to add an api section secured with basic auth.
My security config file looks like:
#Configuration
#EnableWebSecurity
#EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
class SecurityConfig extends WebSecurityConfigurerAdapter {
#Configuration
#Order(1)
public static class ApiWebSecurityConfig extends WebSecurityConfigurerAdapter{
#Override
protected void configure(HttpSecurity http) throws Exception {
http.antMatcher("/api/**")
.httpBasic().and()
.authorizeRequests().anyRequest().fullyAuthenticated().and()
.csrf().disable().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}
#Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().withUser("test").password("pass").roles("USER")
.and().withUser("test2").password("pass").roles("ADMIN");
}
}
#Configuration
#Order(2)
public static class FormWebSecurityConfig extends WebSecurityConfigurerAdapter{
#Autowired
private UserDetailsService userDetailsService;
#Autowired
private LoginSuccessHandler loginSuccessHandler;
#Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
//loginSuccessHandler.setDefaultTargetUrl("/landing");
http.authorizeRequests().anyRequest().fullyAuthenticated()
.and()
// .httpBasic().and()
.formLogin()
.loginPage("/login")
.failureUrl("/login?error")
.successHandler(loginSuccessHandler)
// login success redirect handled by loginSuccessHandler
//.defaultSuccessUrl("/landing")
.usernameParameter("email")
.permitAll()
.and()
.logout()
.logoutUrl("/logout")
.deleteCookies("remember-me")
.addLogoutHandler(logoutHandler)
//.logoutSuccessHandler(logoutSuccessHandler)
.logoutSuccessUrl("/login")
.permitAll()
.and()
.rememberMe();
}
#Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService)
.passwordEncoder(new BCryptPasswordEncoder());
}
#Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers(
"/**/*.css", "/**/*.png", "/**/*.gif", "/**/*.jpg", "/**/*.js","/**/*.map", "/fonts/*");
}
}
}
I'm testing with two urls: api/test and api/testSecured. Without the ApiWebSecurityConfig configuration, visiting api/test produces the expected response and api/testSecured redirects to the login page. WITH ApiWebSecurityConfig, however, both urls result in 404s. Why would this be? I was expecting the same content on api/test and 401 on api/testSecured
edit:
The logs show:
2016-08-22 01:13:13.517 DEBUG --- [nio-1010-exec-2] .s.b.c.web.OrderedRequestContextFilter : Bound request context to thread: org.apache.catalina.connector.RequestFacade#2f3745b1
2016-08-22 01:13:13.517 DEBUG --- [nio-1010-exec-2] .s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/api/test'; against '/**/*.css'
2016-08-22 01:13:13.517 DEBUG --- [nio-1010-exec-2] .s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/api/test'; against '/**/*.png'
2016-08-22 01:13:13.517 DEBUG --- [nio-1010-exec-2] .s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/api/test'; against '/**/*.gif'
2016-08-22 01:13:13.517 DEBUG --- [nio-1010-exec-2] .s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/api/test'; against '/**/*.jpg'
2016-08-22 01:13:13.517 DEBUG --- [nio-1010-exec-2] .s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/api/test'; against '/**/*.js'
2016-08-22 01:13:13.517 DEBUG --- [nio-1010-exec-2] .s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/api/test'; against '/**/*.map'
2016-08-22 01:13:13.517 DEBUG --- [nio-1010-exec-2] .s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/api/test'; against '/fonts/*'
2016-08-22 01:13:13.517 DEBUG --- [nio-1010-exec-2] .s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/api/test'; against '/api/**'
2016-08-22 01:13:13.517 DEBUG --- [nio-1010-exec-2] .s.security.web.FilterChainProxy : /api/test at position 1 of 11 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2016-08-22 01:13:13.517 DEBUG --- [nio-1010-exec-2] .s.security.web.FilterChainProxy : /api/test at position 2 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2016-08-22 01:13:13.517 DEBUG --- [nio-1010-exec-2] .s.security.web.FilterChainProxy : /api/test at position 3 of 11 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2016-08-22 01:13:13.517 DEBUG --- [nio-1010-exec-2] .s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher#71a60793
2016-08-22 01:13:13.517 DEBUG --- [nio-1010-exec-2] .s.security.web.FilterChainProxy : /api/test at position 4 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
2016-08-22 01:13:13.517 DEBUG --- [nio-1010-exec-2] .s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/api/test'; against '/logout'
2016-08-22 01:13:13.517 DEBUG --- [nio-1010-exec-2] .s.security.web.FilterChainProxy : /api/test at position 5 of 11 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
2016-08-22 01:13:13.517 DEBUG --- [nio-1010-exec-2] .s.security.web.FilterChainProxy : /api/test at position 6 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2016-08-22 01:13:13.518 DEBUG --- [nio-1010-exec-2] .s.security.web.FilterChainProxy : /api/test at position 7 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2016-08-22 01:13:13.518 DEBUG --- [nio-1010-exec-2] .s.security.web.FilterChainProxy : /api/test at position 8 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2016-08-22 01:13:13.518 DEBUG --- [nio-1010-exec-2] .s.s.w.a.AnonymousAuthenticationFilter : Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken#6fabe8e0: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#fffe9938: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 3F32CE65028D5FCD8C8589AFA4D842AD; Granted Authorities: ROLE_ANONYMOUS'
2016-08-22 01:13:13.518 DEBUG --- [nio-1010-exec-2] .s.security.web.FilterChainProxy : /api/test at position 9 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter'
2016-08-22 01:13:13.518 DEBUG --- [nio-1010-exec-2] .s.security.web.FilterChainProxy : /api/test at position 10 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2016-08-22 01:13:13.518 DEBUG --- [nio-1010-exec-2] .s.security.web.FilterChainProxy : /api/test at position 11 of 11 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2016-08-22 01:13:13.518 DEBUG --- [nio-1010-exec-2] .s.s.w.a.i.FilterSecurityInterceptor : Secure object: FilterInvocation: URL: /api/test; Attributes: [fullyAuthenticated]
2016-08-22 01:13:13.518 DEBUG --- [nio-1010-exec-2] .s.s.w.a.i.FilterSecurityInterceptor : Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken#6fabe8e0: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#fffe9938: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 3F32CE65028D5FCD8C8589AFA4D842AD; Granted Authorities: ROLE_ANONYMOUS
2016-08-22 01:13:13.518 DEBUG --- [nio-1010-exec-2] .s.s.access.vote.AffirmativeBased : Voter: org.springframework.security.web.access.expression.WebExpressionVoter#36fb2af7, returned: -1
2016-08-22 01:13:13.520 DEBUG --- [nio-1010-exec-2] .s.s.w.a.ExceptionTranslationFilter : Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied
at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:83) ~[spring-security-core-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:232) ~[spring-security-core-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:123) ~[spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:90) ~[spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) [spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:114) ~[spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) [spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:122) [spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) [spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:111) [spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) [spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:169) [spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) [spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:48) [spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) [spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilterInternal(BasicAuthenticationFilter.java:158) [spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-4.2.6.RELEASE.jar:4.2.6.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) [spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:120) [spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) [spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:64) [spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-4.2.6.RELEASE.jar:4.2.6.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) [spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:91) [spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) [spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:53) [spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-4.2.6.RELEASE.jar:4.2.6.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) [spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:213) [spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:176) [spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346) [spring-web-4.2.6.RELEASE.jar:4.2.6.RELEASE]
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262) [spring-web-4.2.6.RELEASE.jar:4.2.6.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) [tomcat-embed-core-8.0.33.jar:8.0.33]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) [tomcat-embed-core-8.0.33.jar:8.0.33]
at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99) [spring-web-4.2.6.RELEASE.jar:4.2.6.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-4.2.6.RELEASE.jar:4.2.6.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) [tomcat-embed-core-8.0.33.jar:8.0.33]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) [tomcat-embed-core-8.0.33.jar:8.0.33]
at org.springframework.web.filter.HttpPutFormContentFilter.doFilterInternal(HttpPutFormContentFilter.java:87) [spring-web-4.2.6.RELEASE.jar:4.2.6.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-4.2.6.RELEASE.jar:4.2.6.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) [tomcat-embed-core-8.0.33.jar:8.0.33]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) [tomcat-embed-core-8.0.33.jar:8.0.33]
at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:77) [spring-web-4.2.6.RELEASE.jar:4.2.6.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-4.2.6.RELEASE.jar:4.2.6.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) [tomcat-embed-core-8.0.33.jar:8.0.33]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) [tomcat-embed-core-8.0.33.jar:8.0.33]
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:121) [spring-web-4.2.6.RELEASE.jar:4.2.6.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-4.2.6.RELEASE.jar:4.2.6.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) [tomcat-embed-core-8.0.33.jar:8.0.33]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) [tomcat-embed-core-8.0.33.jar:8.0.33]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212) [tomcat-embed-core-8.0.33.jar:8.0.33]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106) [tomcat-embed-core-8.0.33.jar:8.0.33]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502) [tomcat-embed-core-8.0.33.jar:8.0.33]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141) [tomcat-embed-core-8.0.33.jar:8.0.33]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79) [tomcat-embed-core-8.0.33.jar:8.0.33]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88) [tomcat-embed-core-8.0.33.jar:8.0.33]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:522) [tomcat-embed-core-8.0.33.jar:8.0.33]
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1095) [tomcat-embed-core-8.0.33.jar:8.0.33]
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:672) [tomcat-embed-core-8.0.33.jar:8.0.33]
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1502) [tomcat-embed-core-8.0.33.jar:8.0.33]
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1458) [tomcat-embed-core-8.0.33.jar:8.0.33]
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) [na:1.8.0_51]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) [na:1.8.0_51]
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-embed-core-8.0.33.jar:8.0.33]
at java.lang.Thread.run(Unknown Source) [na:1.8.0_51]
2016-08-22 01:13:13.520 DEBUG --- [nio-1010-exec-2] .s.s.w.a.ExceptionTranslationFilter : Calling Authentication entry point.
2016-08-22 01:13:13.520 DEBUG --- [nio-1010-exec-2] s.w.a.DelegatingAuthenticationEntryPoint : Trying to match using RequestHeaderRequestMatcher [expectedHeaderName=X-Requested-With, expectedHeaderValue=XMLHttpRequest]
2016-08-22 01:13:13.520 DEBUG --- [nio-1010-exec-2] s.w.a.DelegatingAuthenticationEntryPoint : No match found. Using default entry point org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint#37f512ab
2016-08-22 01:13:13.520 DEBUG --- [nio-1010-exec-2] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
2016-08-22 01:13:13.520 DEBUG --- [nio-1010-exec-2] .s.b.c.web.OrderedRequestContextFilter : Cleared thread-bound request context: org.apache.catalina.connector.RequestFacade#2f3745b1
2016-08-22 01:13:13.521 DEBUG --- [nio-1010-exec-2] .s.web.servlet.DispatcherServlet : DispatcherServlet with name 'dispatcherServlet' processing GET request for [/401.html]
2016-08-22 01:13:13.521 DEBUG --- [nio-1010-exec-2] s.w.s.m.m.a.RequestMappingHandlerMapping : Looking up handler method for path /401.html
2016-08-22 01:13:13.523 DEBUG --- [nio-1010-exec-2] s.w.s.m.m.a.RequestMappingHandlerMapping : Did not find handler method for [/401.html]
2016-08-22 01:13:13.523 DEBUG --- [nio-1010-exec-2] .s.d.r.w.BasePathAwareHandlerMapping : Looking up handler method for path /401.html
2016-08-22 01:13:13.524 DEBUG --- [nio-1010-exec-2] .s.d.r.w.BasePathAwareHandlerMapping : Did not find handler method for [/401.html]
2016-08-22 01:13:13.524 DEBUG --- [nio-1010-exec-2] .s.d.r.w.RepositoryRestHandlerMapping : Looking up handler method for path /401.html
2016-08-22 01:13:13.529 DEBUG --- [nio-1010-exec-2] .s.d.r.w.RepositoryRestHandlerMapping : Did not find handler method for [/401.html]
2016-08-22 01:13:13.529 DEBUG --- [nio-1010-exec-2] .s.w.s.handler.SimpleUrlHandlerMapping : Matching patterns for request [/401.html] are [/**]
2016-08-22 01:13:13.529 DEBUG --- [nio-1010-exec-2] .s.w.s.handler.SimpleUrlHandlerMapping : URI Template variables for request [/401.html] are {}
2016-08-22 01:13:13.529 DEBUG --- [nio-1010-exec-2] .s.w.s.handler.SimpleUrlHandlerMapping : Mapping [/401.html] to HandlerExecutionChain with handler [ResourceHttpRequestHandler [locations=[ServletContext resource [/], class path resource [META-INF/resources/], class path resource [resources/], class path resource [static/], class path resource [public/]], resolvers=[org.springframework.web.servlet.resource.PathResourceResolver#5bf7e3d3]]] and 1 interceptor
2016-08-22 01:13:13.529 DEBUG --- [nio-1010-exec-2] .s.web.servlet.DispatcherServlet : Last-Modified value for [/401.html] is: -1
2016-08-22 01:13:13.530 DEBUG --- [nio-1010-exec-2] .s.web.servlet.DispatcherServlet : Null ModelAndView returned to DispatcherServlet with name 'dispatcherServlet': assuming HandlerAdapter completed request handling
2016-08-22 01:13:13.530 DEBUG --- [nio-1010-exec-2] .s.web.servlet.DispatcherServlet : Successfully completed request
Also, commenting out the second configuration doesn't change anything for the api/.. requests, they still 404.