Why is formlogin with second precedence not working when configured with httpbasic with first precedence in spring boot? [duplicate] - spring

This question already has answers here:
Spring Security : Multiple HTTP Config not working
(2 answers)
Closed 6 years ago.
I have an application that exposes "api" services and "web" pages. So, I've configured httpbasic and formlogin as per Spring's documentation (and from various other SO posts)
http://docs.spring.io/spring-security/site/docs/3.2.x/reference/htmlsingle/#multiple-httpsecurity
Spring Security HTTP Basic for RESTFul and FormLogin (Cookies) for web - Annotations
Below is my custom web security configurer code
#EnableWebSecurity
public class MySecurityConfiguration extends WebSecurityConfigurerAdapter {
private final Logger log = LoggerFactory.getLogger(this.getClass());
#Autowired
private MyAuthenticationProvider myAuthenticationProvider;
#Autowired
#Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(myAuthenticationProvider);
}
#Configuration
#Order(1)
public static class BasicAuthentication extends WebSecurityConfigurerAdapter{
private final Logger log = LoggerFactory.getLogger(this.getClass());
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.antMatchers("/myapp/api/**").authenticated()
.and() // Permit access for all to login REST service
.httpBasic()
.authenticationEntryPoint(new MyAuthenticationFailurePoint());
}
}
#Configuration
#Order(2)
public static class FormAuthentication extends WebSecurityConfigurerAdapter{
private final Logger log = LoggerFactory.getLogger(this.getClass());
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/myapp/web/**").authenticated()
.and()
.formLogin()
.loginPage("/myapp/web/login")
.permitAll()
.and()
.logout()
.logoutUrl("/myapp/web/logout")
.permitAll();
}
}
}
With this code, when I consume (GET) "http:/ /localhost:8083/myapp/api/getIds", the logic works as expected and my custom authentication provider gets called. Please find below the
logs for your reference
[DEBUG] 2016-12-21 04:36:08.878 org.springframework.security.web.FilterChainProxy - /myapp/api/getIds at position 1 of 11 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
[DEBUG] 2016-12-21 04:36:08.904 org.springframework.security.web.FilterChainProxy - /myapp/api/getIds at position 2 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
[DEBUG] 2016-12-21 04:36:08.928 org.springframework.security.web.context.HttpSessionSecurityContextRepository - No HttpSession currently exists
[DEBUG] 2016-12-21 04:36:08.928 org.springframework.security.web.context.HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: null. A new one will be created.
[DEBUG] 2016-12-21 04:36:09.029 org.springframework.security.web.FilterChainProxy - /myapp/api/getIds at position 3 of 11 in additional filter chain; firing Filter: 'HeaderWriterFilter'
[DEBUG] 2016-12-21 04:36:09.030 org.springframework.security.web.header.writers.HstsHeaderWriter - Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher#3b41e91a
[DEBUG] 2016-12-21 04:36:09.030 org.springframework.security.web.FilterChainProxy - /myapp/api/getIds at position 4 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
[DEBUG] 2016-12-21 04:36:09.030 org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/myapp/api/getids'; against '/logout'
[DEBUG] 2016-12-21 04:36:09.030 org.springframework.security.web.FilterChainProxy - /myapp/api/getIds at position 5 of 11 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
[DEBUG] 2016-12-21 04:36:09.089 org.springframework.security.web.authentication.www.BasicAuthenticationFilter - Basic Authentication Authorization header found for user 'testuser'
[DEBUG] 2016-12-21 04:36:09.166 org.springframework.security.authentication.ProviderManager - Authentication attempt using com.myapp.inf.authenticator.MyAuthenticationProvider
[TRACE] 2016-12-21 04:36:33.498 org.springframework.boot.context.embedded.AnnotationConfigEmbeddedWebApplicationContext - Publishing event in org.springframework.boot.context.embedded.AnnotationConfigEmbeddedWebApplicationContext#13330ac6: org.springframework.security.authentication.event.AuthenticationSuccessEvent[source=org.springframework.security.authentication.UsernamePasswordAuthenticationToken#fa787cf9: Principal: testuser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Not granted any authorities]
[DEBUG] 2016-12-21 04:36:33.498 org.springframework.beans.factory.support.DefaultListableBeanFactory - Returning cached instance of singleton bean 'delegatingApplicationListener'
[DEBUG] 2016-12-21 04:36:33.499 org.springframework.security.web.authentication.www.BasicAuthenticationFilter - Authentication success: org.springframework.security.authentication.UsernamePasswordAuthenticationToken#fa787cf9: Principal: testuser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Not granted any authorities
[DEBUG] 2016-12-21 04:36:33.499 org.springframework.security.web.FilterChainProxy - /myapp/api/getIds at position 6 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
[DEBUG] 2016-12-21 04:36:33.499 org.springframework.security.web.FilterChainProxy - /myapp/api/getIds at position 7 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
[DEBUG] 2016-12-21 04:36:33.551 org.springframework.security.web.FilterChainProxy - /myapp/api/getIds at position 8 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
[DEBUG] 2016-12-21 04:36:33.551 org.springframework.security.web.authentication.AnonymousAuthenticationFilter - SecurityContextHolder not populated with anonymous token, as it already contained: 'org.springframework.security.authentication.UsernamePasswordAuthenticationToken#fa787cf9: Principal: testuser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Not granted any authorities'
[DEBUG] 2016-12-21 04:36:33.551 org.springframework.security.web.FilterChainProxy - /myapp/api/getIds at position 9 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter'
[DEBUG] 2016-12-21 04:36:33.551 org.springframework.security.web.authentication.session.CompositeSessionAuthenticationStrategy - Delegating to org.springframework.security.web.authentication.session.ChangeSessionIdAuthenticationStrategy#46bf4560
[DEBUG] 2016-12-21 04:36:33.583 org.springframework.security.web.context.HttpSessionSecurityContextRepository - HttpSession being created as SecurityContext is non-default
[DEBUG] 2016-12-21 04:36:33.835 org.springframework.security.web.context.HttpSessionSecurityContextRepository - SecurityContext 'org.springframework.security.core.context.SecurityContextImpl#fa787cf9: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken#fa787cf9: Principal: testuser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Not granted any authorities' stored to HttpSession: 'org.apache.catalina.session.StandardSessionFacade#2c175127
[DEBUG] 2016-12-21 04:36:33.835 org.springframework.security.web.FilterChainProxy - /myapp/api/getIds at position 10 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
[DEBUG] 2016-12-21 04:36:33.835 org.springframework.security.web.FilterChainProxy - /myapp/api/getIds at position 11 of 11 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
[DEBUG] 2016-12-21 04:36:33.860 org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/myapp/api/getids'; against '/myapp/api/**'
[DEBUG] 2016-12-21 04:36:33.860 org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Secure object: FilterInvocation: URL: /myapp/api/getIds; Attributes: [authenticated]
[DEBUG] 2016-12-21 04:36:33.860 org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Previously Authenticated: org.springframework.security.authentication.UsernamePasswordAuthenticationToken#fa787cf9: Principal: testuser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Not granted any authorities
[DEBUG] 2016-12-21 04:36:34.082 org.springframework.security.access.vote.AffirmativeBased - Voter: org.springframework.security.web.access.expression.WebExpressionVoter#5169d120, returned: 1
[DEBUG] 2016-12-21 04:36:34.082 org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Authorization successful
[DEBUG] 2016-12-21 04:36:34.082 org.springframework.security.web.access.intercept.FilterSecurityInterceptor - RunAsManager did not change Authentication object
[DEBUG] 2016-12-21 04:36:34.083 org.springframework.security.web.FilterChainProxy - /myapp/api/getIds reached end of additional filter chain; proceeding with original chain
Now, when I hit (from browser) "http:/ /localhost:8083/myapp/web/MainConsole", I'm not being prompted for a login page. Please find below the logs for this hit. They indicate that spring boot
is using "httpbasic" config for this hit
[DEBUG] 2016-12-21 04:41:30.179 [http-nio-8083-exec-3] org.springframework.boot.context.web.OrderedRequestContextFilter - Bound request context to thread: org.apache.catalina.connector.RequestFacade#26ff703a
[DEBUG] 2016-12-21 04:41:30.179 [http-nio-8083-exec-3] org.springframework.security.web.FilterChainProxy - /myapp/web/MainConsole at position 1 of 11 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
[DEBUG] 2016-12-21 04:41:30.179 [http-nio-8083-exec-3] org.springframework.security.web.FilterChainProxy - /myapp/web/MainConsole at position 2 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
[DEBUG] 2016-12-21 04:41:30.187 [http-nio-8083-exec-3] org.springframework.security.web.context.HttpSessionSecurityContextRepository - No HttpSession currently exists
[DEBUG] 2016-12-21 04:41:30.187 [http-nio-8083-exec-3] org.springframework.security.web.context.HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: null. A new one will be created.
[DEBUG] 2016-12-21 04:41:30.187 [http-nio-8083-exec-3] org.springframework.security.web.FilterChainProxy - /myapp/web/MainConsole at position 3 of 11 in additional filter chain; firing Filter: 'HeaderWriterFilter'
[DEBUG] 2016-12-21 04:41:30.187 [http-nio-8083-exec-3] org.springframework.security.web.header.writers.HstsHeaderWriter - Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher#3b41e91a
[DEBUG] 2016-12-21 04:41:30.187 [http-nio-8083-exec-3] org.springframework.security.web.FilterChainProxy - /myapp/web/MainConsole at position 4 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
[DEBUG] 2016-12-21 04:41:30.187 [http-nio-8083-exec-3] org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/myapp/web/mainconsole'; against '/logout'
[DEBUG] 2016-12-21 04:41:30.187 [http-nio-8083-exec-3] org.springframework.security.web.FilterChainProxy - /myapp/web/MainConsole at position 5 of 11 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
[DEBUG] 2016-12-21 04:41:30.187 [http-nio-8083-exec-3] org.springframework.security.web.FilterChainProxy - /myapp/web/MainConsole at position 6 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
[DEBUG] 2016-12-21 04:41:30.187 [http-nio-8083-exec-3] org.springframework.security.web.FilterChainProxy - /myapp/web/MainConsole at position 7 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
[DEBUG] 2016-12-21 04:41:30.187 [http-nio-8083-exec-3] org.springframework.security.web.FilterChainProxy - /myapp/web/MainConsole at position 8 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
[DEBUG] 2016-12-21 04:41:30.188 [http-nio-8083-exec-3] org.springframework.security.web.authentication.AnonymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken#9055c2bc: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
[DEBUG] 2016-12-21 04:41:30.188 [http-nio-8083-exec-3] org.springframework.security.web.FilterChainProxy - /myapp/web/MainConsole at position 9 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter'
[DEBUG] 2016-12-21 04:41:30.188 [http-nio-8083-exec-3] org.springframework.security.web.session.SessionManagementFilter - Requested session ID 2E28DB9D6699424055855E4F28D7AF9A is invalid.
[DEBUG] 2016-12-21 04:41:30.189 [http-nio-8083-exec-3] org.springframework.security.web.FilterChainProxy - /myapp/web/MainConsole at position 10 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
[DEBUG] 2016-12-21 04:41:30.189 [http-nio-8083-exec-3] org.springframework.security.web.FilterChainProxy - /myapp/web/MainConsole at position 11 of 11 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
[DEBUG] 2016-12-21 04:41:30.189 [http-nio-8083-exec-3] org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/myapp/web/mainconsole'; against '/myapp/api/**'
[DEBUG] 2016-12-21 04:41:30.189 [http-nio-8083-exec-3] org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Public object - authentication not attempted
[TRACE] 2016-12-21 04:41:30.189 [http-nio-8083-exec-3] org.springframework.boot.context.embedded.AnnotationConfigEmbeddedWebApplicationContext - Publishing event in org.springframework.boot.context.embedded.AnnotationConfigEmbeddedWebApplicationContext#13330ac6: org.springframework.security.access.event.PublicInvocationEvent[source=FilterInvocation: URL: /myapp/web/MainConsole]
[DEBUG] 2016-12-21 04:41:30.189 [http-nio-8083-exec-3] org.springframework.beans.factory.support.DefaultListableBeanFactory - Returning cached instance of singleton bean 'delegatingApplicationListener'
[DEBUG] 2016-12-21 04:41:30.190 [http-nio-8083-exec-3] org.springframework.security.web.FilterChainProxy - /myapp/web/MainConsole reached end of additional filter chain; proceeding with original chain
[TRACE] 2016-12-21 04:41:30.190 [http-nio-8083-exec-3] org.springframework.web.servlet.DispatcherServlet - Bound request context to thread: SecurityContextHolderAwareRequestWrapper[ org.springframework.security.web.context.HttpSessionSecurityContextRepository$Servlet3SaveToSessionRequestWrapper#1274a368]
[DEBUG] 2016-12-21 04:41:30.190 [http-nio-8083-exec-3] org.springframework.web.servlet.DispatcherServlet - DispatcherServlet with name 'dispatcherServlet' processing GET request for [/myapp/web/MainConsole]
[TRACE] 2016-12-21 04:41:30.190 [http-nio-8083-exec-3] org.springframework.web.servlet.DispatcherServlet - Testing handler map [org.springframework.web.servlet.handler.SimpleUrlHandlerMapping#219e6d9f] in DispatcherServlet with name 'dispatcherServlet'
[TRACE] 2016-12-21 04:41:30.190 [http-nio-8083-exec-3] org.springframework.web.servlet.handler.SimpleUrlHandlerMapping - No handler mapping found for [/myapp/web/MainConsole]
[TRACE] 2016-12-21 04:41:30.190 [http-nio-8083-exec-3] org.springframework.web.servlet.DispatcherServlet - Testing handler map [org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping#5afb11fb] in DispatcherServlet with name 'dispatcherServlet'
[DEBUG] 2016-12-21 04:41:30.190 [http-nio-8083-exec-3] org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping - Looking up handler method for path /myapp/web/MainConsole
[TRACE] 2016-12-21 04:41:30.191 [http-nio-8083-exec-3] org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping - Found 1 matching mapping(s) for [/myapp/web/MainConsole] : [{[/myapp/web/MainConsole]}]
[DEBUG] 2016-12-21 04:41:30.191 [http-nio-8083-exec-3] org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping - Returning handler method [public java.lang.String com.myapp.core.controllers.web.MainConsole.showMainConsole()]
[DEBUG] 2016-12-21 04:41:30.191 [http-nio-8083-exec-3] org.springframework.beans.factory.support.DefaultListableBeanFactory - Returning cached instance of singleton bean 'mainConsole'
[TRACE] 2016-12-21 04:41:30.191 [http-nio-8083-exec-3] org.springframework.web.servlet.DispatcherServlet - Testing handler adapter [org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter#718cb880]
[DEBUG] 2016-12-21 04:41:30.191 [http-nio-8083-exec-3] org.springframework.web.servlet.DispatcherServlet - Last-Modified value for [/myapp/web/MainConsole] is: -1
[TRACE] 2016-12-21 04:41:30.193 [http-nio-8083-exec-3] org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod - Invoking [MainConsole.showMainConsole] method with arguments []
[TRACE] 2016-12-21 04:41:30.194 [http-nio-8083-exec-3] org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod - Method [showMainConsole] returned [home]
[DEBUG] 2016-12-21 04:41:30.230 [http-nio-8083-exec-3] org.springframework.web.servlet.view.ContentNegotiatingViewResolver - Requested media types are [text/html, application/xhtml+xml, image/webp, application/xml;q=0.9, */*;q=0.8] based on Accept header types and producible media types [*/*])
[DEBUG] 2016-12-21 04:41:30.230 [http-nio-8083-exec-3] org.springframework.web.servlet.view.BeanNameViewResolver - No matching bean found for view name 'home'
Then, I swaped the order on "httpbasic" and "formlogin" and re-executed "http:/ /localhost:8083/myapp/web/MainConsole". Now, the correct filter - UsernamePasswordAuthenticationFilter - gets called. BUt,
the "api" hits aren't working now.
[DEBUG] 2016-12-21 04:52:56.357 org.springframework.security.web.FilterChainProxy - /myapp/web/MainConsole at position 1 of 12 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
[DEBUG] 2016-12-21 04:52:56.383 org.springframework.security.web.FilterChainProxy - /myapp/web/MainConsole at position 2 of 12 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
[DEBUG] 2016-12-21 04:52:56.409 org.springframework.security.web.context.HttpSessionSecurityContextRepository - No HttpSession currently exists
[DEBUG] 2016-12-21 04:52:56.410 org.springframework.security.web.context.HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: null. A new one will be created.
[DEBUG] 2016-12-21 04:52:56.514 org.springframework.security.web.FilterChainProxy - /myapp/web/MainConsole at position 3 of 12 in additional filter chain; firing Filter: 'HeaderWriterFilter'
[DEBUG] 2016-12-21 04:52:56.515 org.springframework.security.web.header.writers.HstsHeaderWriter - Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher#32c4de26
[DEBUG] 2016-12-21 04:52:56.515 org.springframework.security.web.FilterChainProxy - /myapp/web/MainConsole at position 4 of 12 in additional filter chain; firing Filter: 'CsrfFilter'
[DEBUG] 2016-12-21 04:52:56.567 org.springframework.security.web.FilterChainProxy - /myapp/web/MainConsole at position 5 of 12 in additional filter chain; firing Filter: 'LogoutFilter'
[DEBUG] 2016-12-21 04:52:56.567 org.springframework.security.web.util.matcher.AntPathRequestMatcher - Request 'GET /myapp/web/mainconsole' doesn't match 'POST /myapp/logout
[DEBUG] 2016-12-21 04:52:56.567 org.springframework.security.web.FilterChainProxy - /myapp/web/MainConsole at position 6 of 12 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
[DEBUG] 2016-12-21 04:52:56.567 org.springframework.security.web.util.matcher.AntPathRequestMatcher - Request 'GET /myapp/web/mainconsole' doesn't match 'POST /myapp/login
[DEBUG] 2016-12-21 04:52:56.567 org.springframework.security.web.FilterChainProxy - /myapp/web/MainConsole at position 7 of 12 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
[DEBUG] 2016-12-21 04:52:56.568 org.springframework.security.web.FilterChainProxy - /myapp/web/MainConsole at position 8 of 12 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
[DEBUG] 2016-12-21 04:52:56.623 org.springframework.security.web.FilterChainProxy - /myapp/web/MainConsole at position 9 of 12 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
[DEBUG] 2016-12-21 04:52:56.702 org.springframework.security.web.authentication.AnonymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken#9055c2bc: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
[DEBUG] 2016-12-21 04:52:56.703 org.springframework.security.web.FilterChainProxy - /myapp/web/MainConsole at position 10 of 12 in additional filter chain; firing Filter: 'SessionManagementFilter'
[DEBUG] 2016-12-21 04:52:56.703 org.springframework.security.web.session.SessionManagementFilter - Requested session ID 2E28DB9D6699424055855E4F28D7AF9A is invalid.
[DEBUG] 2016-12-21 04:52:56.703 org.springframework.security.web.FilterChainProxy - /myapp/web/MainConsole at position 11 of 12 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
[DEBUG] 2016-12-21 04:52:56.703 org.springframework.security.web.FilterChainProxy - /myapp/web/MainConsole at position 12 of 12 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
[DEBUG] 2016-12-21 04:52:56.728 org.springframework.security.web.util.matcher.AntPathRequestMatcher - Request 'GET /myapp/web/mainconsole' doesn't match 'POST /myapp/logout
[DEBUG] 2016-12-21 04:52:56.728 org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/myapp/web/mainconsole'; against '/myapp/web/**'
[DEBUG] 2016-12-21 04:52:56.729 org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Secure object: FilterInvocation: URL: /myapp/web/MainConsole; Attributes: [authenticated]
[DEBUG] 2016-12-21 04:52:56.729 org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken#9055c2bc: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
[DEBUG] 2016-12-21 04:52:56.930 org.springframework.security.access.vote.AffirmativeBased - Voter: org.springframework.security.web.access.expression.WebExpressionVoter#9d78e5c, returned: -1
[TRACE] 2016-12-21 04:52:56.931 org.springframework.boot.context.embedded.AnnotationConfigEmbeddedWebApplicationContext - Publishing event in org.springframework.boot.context.embedded.AnnotationConfigEmbeddedWebApplicationContext#13330ac6: org.springframework.security.access.event.AuthorizationFailureEvent[source=FilterInvocation: URL: /myapp/web/MainConsole]
[DEBUG] 2016-12-21 04:52:56.931 org.springframework.beans.factory.support.DefaultListableBeanFactory - Returning cached instance of singleton bean 'delegatingApplicationListener'
[DEBUG] 2016-12-21 04:52:56.932 org.springframework.security.web.access.ExceptionTranslationFilter - Access is denied (user is anonymous); redirecting to authentication entry point
Why is httpsbasic is ALWAYS taking first precedence, regardless of a URL pattern that matches for formlogin?


Because you set the api order to 1, so it will always in API filter chain.Change the api config to this. This will match the request path first.
http.antMatcher("/myapp/api/**")
.csrf().disable().authorizeRequests()
.antMatchers("/**").authenticated().and() // Permit access for all to login REST service
.httpBasic()
.authenticationEntryPoint(new MyAuthenticationFailurePoint());

Related

Getting 404 after oauth2 authentication success and an anonymous token

I am using oauth2 with springboot 1.5.6.RELEASE and I am using jdbc authentication with oauth2.
I added the property: security.oauth2.resource.filter-order = 3
1- AuthorizationServerConfigurerAdapter:
#Configuration
#EnableAuthorizationServer
public class OAuth2Config extends AuthorizationServerConfigurerAdapter {
#Autowired
#Qualifier("authenticationManagerBean")
#Lazy
private AuthenticationManager authenticationManager;
#Autowired
private Environment env;
#Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
// endpoints.tokenStore(tokenStore()).authenticationManager(authenticationManager);
endpoints.authenticationManager(authenticationManager);
}
#Bean
public TokenStore tokenStore() {
return new JdbcTokenStore(dataSource());
}
#Override
public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
security.tokenKeyAccess("permitAll()").checkTokenAccess("isAuthenticated()");
}
#Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.jdbc(dataSource());
}
#Bean
public DataSource dataSource() {
DriverManagerDataSource dataSource = new DriverManagerDataSource();
dataSource.setDriverClassName(env.getProperty("spring.datasource.driver-class-name"));
dataSource.setUrl(env.getProperty("spring.datasource.url"));
dataSource.setUsername(env.getProperty("spring.datasource.username"));
dataSource.setPassword(env.getProperty("spring.datasource.password"));
return dataSource;
}
}
2- ResourceServerConfigurerAdapter
#EnableResourceServer
public class OAuth2ResourceServer extends ResourceServerConfigurerAdapter {
#Override
public void configure(HttpSecurity http) throws Exception {
http.antMatcher("/ws/**").authorizeRequests().anyRequest().authenticated();
}
}
3- SecurityConfig
#Configuration
#EnableWebSecurity
class SecurityConfig extends WebSecurityConfigurerAdapter {
#Autowired
private UserDetailsService userDetailsService;
#Autowired
private CustomAuthenticationSuccessHandler successHandler;
#Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
http.authorizeRequests()
.antMatchers("/", "/registerCompany", "/registerEmployee", "/jobs", "/returnPassword", "/resetPassword",
"/faces/public/**", "/resources/**", "/template/**", "/faces/fonts/*",
"/faces/javax.faces.resource/**", "/ws/**", "/login", "/oauth/**", "/error")
.permitAll().antMatchers("/admin/**", "/faces/admin/**").hasAuthority("ROLE_ADMIN")
.antMatchers("/employeeProfile", "/employeeMainPage", "/employeeAskJob").hasAuthority("ROLE_EMPLOYEE")
.antMatchers("/companyProfile", "/companyMainPage", "/companyPostJob", "/companySearch",
"/branchProfile")
.hasAnyAuthority("ROLE_COMPANY,ROLE_BRANCH,ROLE_ADMIN").anyRequest().fullyAuthenticated().and()
.formLogin().loginPage("/login").permitAll().successHandler(successHandler).failureUrl("/login?error")
.usernameParameter("username").passwordParameter("password").and().logout().deleteCookies("JSESSIONID")
.logoutUrl("/logout").deleteCookies("remember-me").logoutSuccessUrl("/").permitAll().and().rememberMe();
// http.sessionManagement().invalidSessionUrl("/login?invalidSession");
// cache resources
http.headers().addHeaderWriter(new DelegatingRequestMatcherHeaderWriter(
new AntPathRequestMatcher("/javax.faces.resource/**"), new HeaderWriter() {
#Override
public void writeHeaders(HttpServletRequest request, HttpServletResponse response) {
response.addHeader("Cache-Control", "private, max-age=86400");
}
})).defaultsDisabled();
}
#Override
#Bean
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
#Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder());
}
#Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder(11);
}
}
I am trying to generate a token using postman with a post request to url http://localhost:8082/dawam2/oauth/token?grant_type=password
and I use basic authentication and set the username=myclient_id and password=myclient_secret. So the header (Authorization : Basic Basic bXljbGllbnRfaWQ6bXljbGllbnRfc2VjcmV0) was generated
and I set the header Content-Type: application/x-www-form-urlencoded; charset=utf-8.
The response I am getting instead of a generated token :
!doctype html><html lang="en"><head><title>HTTP Status 404 – Not Found</title><style type="text/css">h1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} h2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} h3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} body {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} b {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} p {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;} a {color:black;} a.name {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 404 – Not Found</h1><hr class="line" /><p><b>Type</b> Status Report</p><p><b>Message</b> Not Found</p><p><b>Description</b> The origin server did not find a current representation for the target resource or is not willing to disclose that one exists.</p><hr class="line" /><h3>Apache Tomcat/9.0.0.M18</h3></body></html>
Here are the debugging info:
2017-09-26 15:32:16,833 DEBUG o.s.s.w.u.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/oauth/token']
2017-09-26 15:32:16,833 DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/oauth/token'; against '/oauth/token'
2017-09-26 15:32:16,833 DEBUG o.s.s.w.u.matcher.OrRequestMatcher - matched
2017-09-26 15:32:16,833 DEBUG o.s.security.web.FilterChainProxy - /oauth/token?grant_type=password at position 1 of 11 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2017-09-26 15:32:16,833 DEBUG o.s.security.web.FilterChainProxy - /oauth/token?grant_type=password at position 2 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2017-09-26 15:32:16,833 DEBUG o.s.security.web.FilterChainProxy - /oauth/token?grant_type=password at position 3 of 11 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2017-09-26 15:32:16,833 DEBUG o.s.s.w.h.writers.HstsHeaderWriter - Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher#1d47c7a
2017-09-26 15:32:16,833 DEBUG o.s.security.web.FilterChainProxy - /oauth/token?grant_type=password at position 4 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
2017-09-26 15:32:16,833 DEBUG o.s.s.w.u.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/logout', GET]
2017-09-26 15:32:16,834 DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/oauth/token'; against '/logout'
2017-09-26 15:32:16,834 DEBUG o.s.s.w.u.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/logout', POST]
2017-09-26 15:32:16,834 DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Request 'GET /oauth/token' doesn't match 'POST /logout
2017-09-26 15:32:16,834 DEBUG o.s.s.w.u.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/logout', PUT]
2017-09-26 15:32:16,834 DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Request 'GET /oauth/token' doesn't match 'PUT /logout
2017-09-26 15:32:16,834 DEBUG o.s.s.w.u.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/logout', DELETE]
2017-09-26 15:32:16,834 DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Request 'GET /oauth/token' doesn't match 'DELETE /logout
2017-09-26 15:32:16,834 DEBUG o.s.s.w.u.matcher.OrRequestMatcher - No matches found
2017-09-26 15:32:16,834 DEBUG o.s.security.web.FilterChainProxy - /oauth/token?grant_type=password at position 5 of 11 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
2017-09-26 15:32:16,834 DEBUG o.s.s.w.a.w.BasicAuthenticationFilter - Basic Authentication Authorization header found for user 'myclient_id'
2017-09-26 15:32:16,834 DEBUG o.s.s.a.ProviderManager - Authentication attempt using org.springframework.security.authentication.dao.DaoAuthenticationProvider
2017-09-26 15:32:16,849 DEBUG o.s.s.w.a.w.BasicAuthenticationFilter - Authentication success: org.springframework.security.authentication.UsernamePasswordAuthenticationToken#d9cf8114: Principal: org.springframework.security.core.userdetails.User#6a9879e3: Username: myclient_id; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_EMPLOYEE; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_EMPLOYEE
2017-09-26 15:32:16,850 DEBUG o.s.security.web.FilterChainProxy - /oauth/token?grant_type=password at position 6 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2017-09-26 15:32:16,850 DEBUG o.s.security.web.FilterChainProxy - /oauth/token?grant_type=password at position 7 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2017-09-26 15:32:16,850 DEBUG o.s.security.web.FilterChainProxy - /oauth/token?grant_type=password at position 8 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2017-09-26 15:32:16,850 DEBUG o.s.s.w.a.AnonymousAuthenticationFilter - SecurityContextHolder not populated with anonymous token, as it already contained: 'org.springframework.security.authentication.UsernamePasswordAuthenticationToken#d9cf8114: Principal: org.springframework.security.core.userdetails.User#6a9879e3: Username: myclient_id; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_EMPLOYEE; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_EMPLOYEE'
2017-09-26 15:32:16,850 DEBUG o.s.security.web.FilterChainProxy - /oauth/token?grant_type=password at position 9 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter'
2017-09-26 15:32:16,850 DEBUG o.s.s.w.a.s.CompositeSessionAuthenticationStrategy - Delegating to org.springframework.security.web.authentication.session.ChangeSessionIdAuthenticationStrategy#15d6aaa
2017-09-26 15:32:16,850 DEBUG o.s.security.web.FilterChainProxy - /oauth/token?grant_type=password at position 10 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2017-09-26 15:32:16,850 DEBUG o.s.security.web.FilterChainProxy - /oauth/token?grant_type=password at position 11 of 11 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2017-09-26 15:32:16,850 DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/oauth/token'; against '/oauth/token'
2017-09-26 15:32:16,850 DEBUG o.s.s.w.a.i.FilterSecurityInterceptor - Secure object: FilterInvocation: URL: /oauth/token?grant_type=password; Attributes: [fullyAuthenticated]
2017-09-26 15:32:16,850 DEBUG o.s.s.w.a.i.FilterSecurityInterceptor - Previously Authenticated: org.springframework.security.authentication.UsernamePasswordAuthenticationToken#d9cf8114: Principal: org.springframework.security.core.userdetails.User#6a9879e3: Username: myclient_id; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_EMPLOYEE; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_EMPLOYEE
2017-09-26 15:32:16,851 DEBUG o.s.s.access.vote.AffirmativeBased - Voter: org.springframework.security.web.access.expression.WebExpressionVoter#14cb584, returned: 1
2017-09-26 15:32:16,851 DEBUG o.s.s.w.a.i.FilterSecurityInterceptor - Authorization successful
2017-09-26 15:32:16,851 DEBUG o.s.s.w.a.i.FilterSecurityInterceptor - RunAsManager did not change Authentication object
2017-09-26 15:32:16,851 DEBUG o.s.security.web.FilterChainProxy - /oauth/token?grant_type=password reached end of additional filter chain; proceeding with original chain
2017-09-26 15:32:16,853 DEBUG o.s.s.w.a.ExceptionTranslationFilter - Chain processed normally
2017-09-26 15:32:16,853 DEBUG o.s.s.w.c.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
2017-09-26 15:32:16,854 DEBUG o.s.s.w.u.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/oauth/token']
2017-09-26 15:32:16,854 DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/error'; against '/oauth/token'
2017-09-26 15:32:16,854 DEBUG o.s.s.w.u.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/oauth/token_key']
2017-09-26 15:32:16,854 DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/error'; against '/oauth/token_key'
2017-09-26 15:32:16,854 DEBUG o.s.s.w.u.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/oauth/check_token']
2017-09-26 15:32:16,854 DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/error'; against '/oauth/check_token'
2017-09-26 15:32:16,854 DEBUG o.s.s.w.u.matcher.OrRequestMatcher - No matches found
2017-09-26 15:32:16,854 DEBUG o.s.security.web.FilterChainProxy - /error?grant_type=password at position 1 of 12 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2017-09-26 15:32:16,854 DEBUG o.s.security.web.FilterChainProxy - /error?grant_type=password at position 2 of 12 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2017-09-26 15:32:16,854 DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository - No HttpSession currently exists
2017-09-26 15:32:16,854 DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: null. A new one will be created.
2017-09-26 15:32:16,854 DEBUG o.s.security.web.FilterChainProxy - /error?grant_type=password at position 3 of 12 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2017-09-26 15:32:16,854 DEBUG o.s.security.web.FilterChainProxy - /error?grant_type=password at position 4 of 12 in additional filter chain; firing Filter: 'LogoutFilter'
2017-09-26 15:32:16,854 DEBUG o.s.s.w.u.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/logout', GET]
2017-09-26 15:32:16,854 DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/error'; against '/logout'
2017-09-26 15:32:16,854 DEBUG o.s.s.w.u.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/logout', POST]
2017-09-26 15:32:16,855 DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Request 'GET /error' doesn't match 'POST /logout
2017-09-26 15:32:16,855 DEBUG o.s.s.w.u.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/logout', PUT]
2017-09-26 15:32:16,855 DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Request 'GET /error' doesn't match 'PUT /logout
2017-09-26 15:32:16,855 DEBUG o.s.s.w.u.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/logout', DELETE]
2017-09-26 15:32:16,855 DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Request 'GET /error' doesn't match 'DELETE /logout
2017-09-26 15:32:16,855 DEBUG o.s.s.w.u.matcher.OrRequestMatcher - No matches found
2017-09-26 15:32:16,855 DEBUG o.s.security.web.FilterChainProxy - /error?grant_type=password at position 5 of 12 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
2017-09-26 15:32:16,855 DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Request 'GET /error' doesn't match 'POST /login
2017-09-26 15:32:16,855 DEBUG o.s.security.web.FilterChainProxy - /error?grant_type=password at position 6 of 12 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2017-09-26 15:32:16,855 DEBUG o.s.security.web.FilterChainProxy - /error?grant_type=password at position 7 of 12 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2017-09-26 15:32:16,855 DEBUG o.s.security.web.FilterChainProxy - /error?grant_type=password at position 8 of 12 in additional filter chain; firing Filter: 'RememberMeAuthenticationFilter'
2017-09-26 15:32:16,855 DEBUG o.s.security.web.FilterChainProxy - /error?grant_type=password at position 9 of 12 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2017-09-26 15:32:16,855 DEBUG o.s.s.w.a.AnonymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken#9055c2bc: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
2017-09-26 15:32:16,855 DEBUG o.s.security.web.FilterChainProxy - /error?grant_type=password at position 10 of 12 in additional filter chain; firing Filter: 'SessionManagementFilter'
2017-09-26 15:32:16,855 DEBUG o.s.security.web.FilterChainProxy - /error?grant_type=password at position 11 of 12 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2017-09-26 15:32:16,855 DEBUG o.s.security.web.FilterChainProxy - /error?grant_type=password at position 12 of 12 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2017-09-26 15:32:16,855 DEBUG o.s.security.web.FilterChainProxy - /error?grant_type=password reached end of additional filter chain; proceeding with original chain
2017-09-26 15:32:16,856 DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
2017-09-26 15:32:16,856 DEBUG o.s.s.w.a.ExceptionTranslationFilter - Chain processed normally
2017-09-26 15:32:16,856 DEBUG o.s.s.w.c.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
How can I fix this issue?

The issue was related to Jersey configuration, it was stealing requests from oauth2, i had to reconfigure it with #ApplicationPath("/ws")
so the configuration now looks like :
#Configuration
#ApplicationPath("/ws")
public class JerseyConfig extends ResourceConfig {
public JerseyConfig() {
register(DawamService.class);
}
}
and my webservice implementation class like :
#Component
#Path("/dawam")
public class DawamService extends DawamServiceBase {
#GET
#Produces({ MediaType.TEXT_HTML })
#Path("/test")
public String getHTML() {
System.out.println("##### Welcome to test webservice #########");
return "Welcome to test webservice";
}
}

I have the same problem and I can fixed it.
In my case the reason was in the following:
My servlet-mapping for dispather servlet in web.xml
<servlet-mapping>
<servlet-name>dispatcher</servlet-name>
<url-pattern>/api/*</url-pattern>
</servlet-mapping>
It means the all http requests for access to your resources should be started with '/api' (ex. /api/user/2 or /api/login) even if #RequestMapping points as '/user/{id}' or /login. When you request a token by oauth2/token URL, spring or other filters handle it, but dispatcherServlet could not find any controller corresponding to your request and we have 404 error.
To resolve this, I just added the one method to endpoints in AuthorizationServerConfiguration class.
#Configuration
#EnableAuthorizationServer
public class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter
...
#Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.tokenStore(tokenStore)
.prefix("/api") //<---- PREFIX WAS ADDED
.userApprovalHandler(userApprovalHandler)
.authenticationManager(authenticationManager);
}
...
}
I think the
.pathMapping("/oauth/token", "/api/oauth/token")
code instead of .prefix("/api") also can resolve the problem.
It changes request for getting the tokens.
After made change I get the tokens by URL
/api/oauth/token
Of course I can mistake but it works for me. Thanks.

not able to display image from a folder

I use spring boot 1.4.3, I created a class to try to access a folder from ther server
#Configuration
public class WebConfigurer extends WebMvcConfigurerAdapter {
#Value("${img.app.path}")
private String imgAppPath;
#Override
public void addResourceHandlers(ResourceHandlerRegistry registry) {
registry.addResourceHandler("/img/**").addResourceLocations("/home/bob/bin/");
}
}
In /home/bob/bin/ I have many image:
When I try to access to http://localhost:8080//img/logo.png
I get:
2016-12-28 22:35:44.690 DEBUG 10000 --- [http-nio-8080-exec-3] o.s.security.web.FilterChainProxy : /img/logo.png at position 1 of 11 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2016-12-28 22:35:44.690 DEBUG 10000 --- [http-nio-8080-exec-3] o.s.security.web.FilterChainProxy : /img/logo.png at position 2 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2016-12-28 22:35:44.691 DEBUG 10000 --- [http-nio-8080-exec-3] o.s.security.web.FilterChainProxy : /img/logo.png at position 3 of 11 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2016-12-28 22:35:44.691 DEBUG 10000 --- [http-nio-8080-exec-3] o.s.security.web.FilterChainProxy : /img/logo.png at position 4 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
2016-12-28 22:35:44.691 DEBUG 10000 --- [http-nio-8080-exec-3] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', GET]
2016-12-28 22:35:44.691 DEBUG 10000 --- [http-nio-8080-exec-3] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/img/logo.png'; against '/logout'
2016-12-28 22:35:44.691 DEBUG 10000 --- [http-nio-8080-exec-3] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', POST]
2016-12-28 22:35:44.692 DEBUG 10000 --- [http-nio-8080-exec-3] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'GET /img/logo.png' doesn't match 'POST /logout
2016-12-28 22:35:44.692 DEBUG 10000 --- [http-nio-8080-exec-3] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', PUT]
2016-12-28 22:35:44.692 DEBUG 10000 --- [http-nio-8080-exec-3] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'GET /img/logo.png' doesn't match 'PUT /logout
2016-12-28 22:35:44.692 DEBUG 10000 --- [http-nio-8080-exec-3] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', DELETE]
2016-12-28 22:35:44.692 DEBUG 10000 --- [http-nio-8080-exec-3] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'GET /img/logo.png' doesn't match 'DELETE /logout
2016-12-28 22:35:44.692 DEBUG 10000 --- [http-nio-8080-exec-3] o.s.s.web.util.matcher.OrRequestMatcher : No matches found
2016-12-28 22:35:44.693 DEBUG 10000 --- [http-nio-8080-exec-3] o.s.security.web.FilterChainProxy : /img/logo.png at position 5 of 11 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
2016-12-28 22:35:44.693 DEBUG 10000 --- [http-nio-8080-exec-3] o.s.security.web.FilterChainProxy : /img/logo.png at position 6 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2016-12-28 22:35:44.693 DEBUG 10000 --- [http-nio-8080-exec-3] o.s.security.web.FilterChainProxy : /img/logo.png at position 7 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2016-12-28 22:35:44.693 DEBUG 10000 --- [http-nio-8080-exec-3] o.s.security.web.FilterChainProxy : /img/logo.png at position 8 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2016-12-28 22:35:44.693 DEBUG 10000 --- [http-nio-8080-exec-3] o.s.s.w.a.AnonymousAuthenticationFilter : Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken#9055c2bc: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
2016-12-28 22:35:44.693 DEBUG 10000 --- [http-nio-8080-exec-3] o.s.security.web.FilterChainProxy : /img/logo.png at position 9 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter'
2016-12-28 22:35:44.694 DEBUG 10000 --- [http-nio-8080-exec-3] o.s.security.web.FilterChainProxy : /img/logo.png at position 10 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2016-12-28 22:35:44.694 DEBUG 10000 --- [http-nio-8080-exec-3] o.s.security.web.FilterChainProxy : /img/logo.png at position 11 of 11 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2016-12-28 22:35:44.694 DEBUG 10000 --- [http-nio-8080-exec-3] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/img/logo.png'; against '/rest/**'
2016-12-28 22:35:44.695 DEBUG 10000 --- [http-nio-8080-exec-3] o.s.s.w.a.i.FilterSecurityInterceptor : Public object - authentication not attempted
2016-12-28 22:35:44.695 DEBUG 10000 --- [http-nio-8080-exec-3] o.s.security.web.FilterChainProxy : /img/logo.png reached end of additional filter chain; proceeding with original chain
2016-12-28 22:35:44.716 DEBUG 10000 --- [http-nio-8080-exec-3] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher#738bf2c8
2016-12-28 22:35:44.717 DEBUG 10000 --- [http-nio-8080-exec-3] o.s.s.w.a.ExceptionTranslationFilter : Chain processed normally
2016-12-28 22:35:44.718 DEBUG 10000 --- [http-nio-8080-exec-3] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed

You need allow access to the static resources with spring security.
<http pattern="/img/**" security="none"/>
Java Config
web.ignoring().antMatchers("/img/**");
And change the resource path.
registry.addResourceHandler("/img/**").addResourceLocations("file:///home/bob/bin/");
Detail see here

Token based remember me cookie is not working at the time of autologin redirection

I am using spring security 4.1.1 and spring boot for authentication its working totally good. Now I started to implement remember me below is my configuration code
#Configuration
#EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
#Autowired
CustomAuthenticationProvider customAuthenticationProvider;
// UserDetailsService userDetailsService;
#Autowired
UserDetailsService userDetailsService;
#Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/", "/login", "/signup","/logout", "/loginProcess","/public/**","/forgotpassword","/forgot-password*","/isUserExists","/emailForgot","/verify-user*").permitAll()
.anyRequest().authenticated()
.and()
.csrf().disable()
.rememberMe().key("tokenkey").rememberMeParameter("_spring_security_remember_me").rememberMeCookieName("myremembermecookie").tokenValiditySeconds(1209600).alwaysRemember(true).userDetailsService(userDetailsService)
.and()
.formLogin().loginPage("/login").loginProcessingUrl("/loginProcess").defaultSuccessUrl("/home")
.failureUrl("/login?error").usernameParameter("userName").passwordParameter("userPassword").permitAll()
.and().logout().logoutUrl("/logout").logoutSuccessUrl("/login?logout").deleteCookies("JSESSIONID")
.invalidateHttpSession(true).permitAll().and().headers().defaultsDisabled().cacheControl();
}
#Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(customAuthenticationProvider);
auth.userDetailsService(userDetailsService);
}
}
This is my custom authentication provider code
#Component
public class CustomAuthenticationProvider implements AuthenticationProvider{
public static final Logger logger = LoggerFactory.getLogger(CustomAuthenticationProvider.class);
#Autowired
WyzbeeGatewayService sdkService;
#Autowired
UserData userData;
#Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
logger.info("###############################################################################################");
logger.info(authentication.getName()+" "+authentication.getCredentials());
logger.info("###############################################################################################");
try {
final String userToken = sdkService.login(authentication.getName(), authentication.getCredentials().toString());
final LoginResponse responseValidate = sdkService.validateUser(authentication.getName(), authentication.getCredentials().toString());
userData.setUserTenantList(responseValidate.getUserTenantList());
List<GrantedAuthority> grantedAuths = new ArrayList<GrantedAuthority>();
userData.setUserName(authentication.getName());
userData.setPasswrod(authentication.getCredentials().toString());
userData.setGrantedAuths(grantedAuths);
userData.setUserToken(userToken);
UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken(authentication.getName(), authentication.getCredentials().toString(), grantedAuths);
logger.info("checking for authentication "+usernamePasswordAuthenticationToken.isAuthenticated());
//UserDetails user = new User(authentication.getName(), authentication.getCredentials().toString(), true, true, true, true, grantedAuths);
//SecurityContextHolder.getContext().setAuthentication(new RememberMeAuthenticationToken("tokenkey", authentication.getName(), grantedAuths));
/* UserService userService = new UserService();
userService.setUserDetails(user);*/
return usernamePasswordAuthenticationToken;
} catch (final WyzbeeException e) {
throw new UsernameNotFoundException("Username " + authentication.getName() + " not found");
}
}
#Override
public boolean supports(Class<?> arg0) {
return true;
}
As I don't have direct access to the database we have a rest call for login and logout so I was not able to use directly UserDetailsServiceI used AuthenticationProvider to check the credentials but, spring document says if you want to use in-built remember me mechanisms we should have UserDetailsService so I implemented in this way
#Service
public class UserService implements UserDetailsService {
UserDetails user= null;
public static final Logger logger = LoggerFactory.getLogger(UserService.class);
#Autowired
WyzbeeGatewayService sdkService;
#Autowired
UserData userData;
#Override
public UserDetails loadUserByUsername(String userName) throws UsernameNotFoundException {
/*logger.info("###############################################################################################");
logger.info("User Service "+userData.getUserName());
logger.info("###############################################################################################");*/
return new User(userData.getUserName(), userData.getPasswrod(), true, true, true, true, userData.getGrantedAuths());
}
public void setUserDetails(UserDetails user){
this.user = user;
}
}
The problem is the cookie is generating and storing in browser when I login for first time after login I am closing the browser without logout when I again access my URL it is again moving to login page. I dent mention anything in index.jsp just maintained to redirect to login page.
Debugged content
2016-09-27 11:51:24 DEBUG AntPathRequestMatcher:157 - Checking match of request : '/public/css/style.css'; against '/'
2016-09-27 11:51:24 DEBUG AntPathRequestMatcher:157 - Checking match of request : '/public/css/style.css'; against '/login'
2016-09-27 11:51:24 DEBUG AntPathRequestMatcher:157 - Checking match of request : '/public/css/style.css'; against '/signup'
2016-09-27 11:51:24 DEBUG DispatcherServlet:1044 - Null ModelAndView returned to DispatcherServlet with name 'dispatcherServlet': assuming HandlerAdapter completed request handling
2016-09-27 11:51:24 DEBUG AntPathRequestMatcher:157 - Checking match of request : '/public/css/style.css'; against '/logout'
2016-09-27 11:51:24 DEBUG DispatcherServlet:1000 - Successfully completed request
2016-09-27 11:51:24 DEBUG AntPathRequestMatcher:157 - Checking match of request : '/public/css/style.css'; against '/loginProcess'
2016-09-27 11:51:24 DEBUG ExceptionTranslationFilter:117 - Chain processed normally
2016-09-27 11:51:24 DEBUG AntPathRequestMatcher:157 - Checking match of request : '/public/css/style.css'; against '/public/**'
2016-09-27 11:51:24 DEBUG SecurityContextPersistenceFilter:119 - SecurityContextHolder now cleared, as request processing completed
2016-09-27 11:51:24 DEBUG FilterSecurityInterceptor:219 - Secure object: FilterInvocation: URL: /public/css/style.css; Attributes: [permitAll]
2016-09-27 11:51:24 DEBUG OrderedRequestContextFilter:104 - Cleared thread-bound request context: org.apache.catalina.connector.RequestFacade#4954e173
2016-09-27 11:51:24 DEBUG FilterSecurityInterceptor:348 - Previously Authenticated: org.springframework.security.authentication.UsernamePasswordAuthenticationToken#7a88a3ec: Principal: swapnil1472; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#380f4: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 3B315D5D7EF75385D93713710B62079C; Not granted any authorities
2016-09-27 11:51:24 DEBUG AffirmativeBased:66 - Voter: org.springframework.security.web.access.expression.WebExpressionVoter#5de2ed51, returned: 1
2016-09-27 11:51:24 DEBUG FilterSecurityInterceptor:243 - Authorization successful
2016-09-27 11:51:24 DEBUG FilterSecurityInterceptor:256 - RunAsManager did not change Authentication object
2016-09-27 11:51:24 DEBUG FilterChainProxy:310 - /public/css/style.css reached end of additional filter chain; proceeding with original chain
2016-09-27 11:51:24 DEBUG DispatcherServlet:865 - DispatcherServlet with name 'dispatcherServlet' processing GET request for [/virtual/public/css/style.css]
2016-09-27 11:51:24 DEBUG SimpleUrlHandlerMapping:190 - Matching patterns for request [/public/css/style.css] are [/public/**, /**]
2016-09-27 11:51:24 DEBUG SimpleUrlHandlerMapping:219 - URI Template variables for request [/public/css/style.css] are {}
2016-09-27 11:51:24 DEBUG SimpleUrlHandlerMapping:140 - Mapping [/public/css/style.css] to HandlerExecutionChain with handler [ResourceHttpRequestHandler [locations=[class path resource [static/public/]], resolvers=[org.springframework.web.servlet.resource.PathResourceResolver#1c026d4e]]] and 1 interceptor
2016-09-27 11:51:24 DEBUG DispatcherServlet:951 - Last-Modified value for [/virtual/public/css/style.css] is: -1
2016-09-27 11:51:24 DEBUG DispatcherServlet:1044 - Null ModelAndView returned to DispatcherServlet with name 'dispatcherServlet': assuming HandlerAdapter completed request handling
2016-09-27 11:51:24 DEBUG DispatcherServlet:1000 - Successfully completed request
2016-09-27 11:51:24 DEBUG ExceptionTranslationFilter:117 - Chain processed normally
2016-09-27 11:51:24 DEBUG SecurityContextPersistenceFilter:119 - SecurityContextHolder now cleared, as request processing completed
2016-09-27 11:51:24 DEBUG OrderedRequestContextFilter:104 - Cleared thread-bound request context: org.apache.catalina.connector.RequestFacade#634ebe6
2016-09-27 11:51:24 DEBUG OrderedRequestContextFilter:114 - Bound request context to thread: org.apache.catalina.connector.RequestFacade#634ebe6
2016-09-27 11:51:24 DEBUG OrderedRequestContextFilter:114 - Bound request context to thread: org.apache.catalina.connector.RequestFacade#4954e173
2016-09-27 11:51:24 DEBUG FilterChainProxy:325 - /public/css/fonts/eau_sans_book-webfont.woff at position 1 of 12 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2016-09-27 11:51:24 DEBUG FilterChainProxy:325 - /public/css/fonts/eau_sans_bold-webfont.woff at position 1 of 12 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2016-09-27 11:51:24 DEBUG FilterChainProxy:325 - /public/css/fonts/eau_sans_book-webfont.woff at position 2 of 12 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2016-09-27 11:51:24 DEBUG FilterChainProxy:325 - /public/css/fonts/eau_sans_bold-webfont.woff at position 2 of 12 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2016-09-27 11:51:24 DEBUG HttpSessionSecurityContextRepository:207 - Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'org.springframework.security.core.context.SecurityContextImpl#7a88a3ec: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken#7a88a3ec: Principal: swapnil1472; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#380f4: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 3B315D5D7EF75385D93713710B62079C; Not granted any authorities'
2016-09-27 11:51:24 DEBUG HttpSessionSecurityContextRepository:207 - Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'org.springframework.security.core.context.SecurityContextImpl#7a88a3ec: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken#7a88a3ec: Principal: swapnil1472; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#380f4: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 3B315D5D7EF75385D93713710B62079C; Not granted any authorities'
2016-09-27 11:51:24 DEBUG FilterChainProxy:325 - /public/css/fonts/eau_sans_book-webfont.woff at position 3 of 12 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2016-09-27 11:51:24 DEBUG FilterChainProxy:325 - /public/css/fonts/eau_sans_bold-webfont.woff at position 3 of 12 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2016-09-27 11:51:24 DEBUG FilterChainProxy:325 - /public/css/fonts/eau_sans_book-webfont.woff at position 4 of 12 in additional filter chain; firing Filter: 'LogoutFilter'
2016-09-27 11:51:24 DEBUG FilterChainProxy:325 - /public/css/fonts/eau_sans_bold-webfont.woff at position 4 of 12 in additional filter chain; firing Filter: 'LogoutFilter'
2016-09-27 11:51:24 DEBUG OrRequestMatcher:65 - Trying to match using Ant [pattern='/logout', GET]
2016-09-27 11:51:24 DEBUG OrRequestMatcher:65 - Trying to match using Ant [pattern='/logout', GET]
2016-09-27 11:51:24 DEBUG AntPathRequestMatcher:157 - Checking match of request : '/public/css/fonts/eau_sans_bold-webfont.woff'; against '/logout'
2016-09-27 11:51:24 DEBUG OrRequestMatcher:65 - Trying to match using Ant [pattern='/logout', POST]
2016-09-27 11:51:24 DEBUG AntPathRequestMatcher:137 - Request 'GET /public/css/fonts/eau_sans_bold-webfont.woff' doesn't match 'POST /logout
2016-09-27 11:51:24 DEBUG OrRequestMatcher:65 - Trying to match using Ant [pattern='/logout', PUT]
2016-09-27 11:51:24 DEBUG AntPathRequestMatcher:137 - Request 'GET /public/css/fonts/eau_sans_bold-webfont.woff' doesn't match 'PUT /logout
2016-09-27 11:51:24 DEBUG OrRequestMatcher:65 - Trying to match using Ant [pattern='/logout', DELETE]
2016-09-27 11:51:24 DEBUG AntPathRequestMatcher:137 - Request 'GET /public/css/fonts/eau_sans_bold-webfont.woff' doesn't match 'DELETE /logout
2016-09-27 11:51:24 DEBUG OrRequestMatcher:72 - No matches found
2016-09-27 11:51:24 DEBUG AntPathRequestMatcher:157 - Checking match of request : '/public/css/fonts/eau_sans_book-webfont.woff'; against '/logout'
2016-09-27 11:51:24 DEBUG FilterChainProxy:325 - /public/css/fonts/eau_sans_bold-webfont.woff at position 5 of 12 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
2016-09-27 11:51:24 DEBUG AntPathRequestMatcher:137 - Request 'GET /public/css/fonts/eau_sans_bold-webfont.woff' doesn't match 'POST /loginProcess
2016-09-27 11:51:24 DEBUG OrRequestMatcher:65 - Trying to match using Ant [pattern='/logout', POST]
2016-09-27 11:51:24 DEBUG AntPathRequestMatcher:137 - Request 'GET /public/css/fonts/eau_sans_book-webfont.woff' doesn't match 'POST /logout
2016-09-27 11:51:24 DEBUG OrRequestMatcher:65 - Trying to match using Ant [pattern='/logout', PUT]
2016-09-27 11:51:24 DEBUG AntPathRequestMatcher:137 - Request 'GET /public/css/fonts/eau_sans_book-webfont.woff' doesn't match 'PUT /logout
2016-09-27 11:51:24 DEBUG OrRequestMatcher:65 - Trying to match using Ant [pattern='/logout', DELETE]
2016-09-27 11:51:24 DEBUG AntPathRequestMatcher:137 - Request 'GET /public/css/fonts/eau_sans_book-webfont.woff' doesn't match 'DELETE /logout
2016-09-27 11:51:24 DEBUG OrRequestMatcher:72 - No matches found
2016-09-27 11:51:24 DEBUG FilterChainProxy:325 - /public/css/fonts/eau_sans_bold-webfont.woff at position 6 of 12 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2016-09-27 11:51:24 DEBUG FilterChainProxy:325 - /public/css/fonts/eau_sans_book-webfont.woff at position 5 of 12 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
2016-09-27 11:51:24 DEBUG AntPathRequestMatcher:137 - Request 'GET /public/css/fonts/eau_sans_book-webfont.woff' doesn't match 'POST /loginProcess
2016-09-27 11:51:24 DEBUG FilterChainProxy:325 - /public/css/fonts/eau_sans_bold-webfont.woff at position 7 of 12 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2016-09-27 11:51:24 DEBUG FilterChainProxy:325 - /public/css/fonts/eau_sans_book-webfont.woff at position 6 of 12 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2016-09-27 11:51:24 DEBUG FilterChainProxy:325 - /public/css/fonts/eau_sans_book-webfont.woff at position 7 of 12 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2016-09-27 11:51:24 DEBUG FilterChainProxy:325 - /public/css/fonts/eau_sans_bold-webfont.woff at position 8 of 12 in additional filter chain; firing Filter: 'RememberMeAuthenticationFilter'
2016-09-27 11:51:24 DEBUG FilterChainProxy:325 - /public/css/fonts/eau_sans_book-webfont.woff at position 8 of 12 in additional filter chain; firing Filter: 'RememberMeAuthenticationFilter'
2016-09-27 11:51:24 DEBUG RememberMeAuthenticationFilter:154 - SecurityContextHolder not populated with remember-me token, as it already contained: 'org.springframework.security.authentication.UsernamePasswordAuthenticationToken#7a88a3ec: Principal: swapnil1472; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#380f4: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 3B315D5D7EF75385D93713710B62079C; Not granted any authorities'
2016-09-27 11:51:24 DEBUG RememberMeAuthenticationFilter:154 - SecurityContextHolder not populated with remember-me token, as it already contained: 'org.springframework.security.authentication.UsernamePasswordAuthenticationToken#7a88a3ec: Principal: swapnil1472; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#380f4: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 3B315D5D7EF75385D93713710B62079C; Not granted any authorities'
2016-09-27 11:51:24 DEBUG FilterChainProxy:325 - /public/css/fonts/eau_sans_book-webfont.woff at position 9 of 12 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2016-09-27 11:51:24 DEBUG FilterChainProxy:325 - /public/css/fonts/eau_sans_bold-webfont.woff at position 9 of 12 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2016-09-27 11:51:24 DEBUG AnonymousAuthenticationFilter:106 - SecurityContextHolder not populated with anonymous token, as it already contained: 'org.springframework.security.authentication.UsernamePasswordAuthenticationToken#7a88a3ec: Principal: swapnil1472; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#380f4: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 3B315D5D7EF75385D93713710B62079C; Not granted any authorities'

Spring Boot 1.3 + OAuth: Authentication request failed: BadCredentialsException: Could not obtain access token

I'm trying to authenticate an OAuth Spring Boot 1.3 with WSO2 Identity provider.
Problem: Authentication request failed: org.springframework.security.authentication.BadCredentialsException: Could not obtain access token
Question: What is missing in my code/configuration in order to obtain the Access Token.
application.yml
security:
oauth2:
client:
clientId: 6kRDeCMVKjYzH7duL33AFAYX8dka
clientSecret: USEZhqRyCfF_dIdEIjFolFOkTAoa
accessTokenUri: https://localhost:9443/oauth2/token
userAuthorizationUri: https://localhost:9443/oauth2/authorize
clientAuthenticationScheme: form
resource:
schema=openid
userInfoUri: https://localhost:9443/oauth2/userinfo?schema=openid
Application.groovy
#SpringBootApplication
#EnableOAuth2Sso
class Application extends GrailsAutoConfiguration {
static void main(String[] args) {
GrailsApp.run(Application, args)
}
#Bean public RequestContextListener requestContextListener(){
return new RequestContextListener();
}
}
Output:
DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Request '/login' matched by universal pattern '/**'
DEBUG org.springframework.security.web.FilterChainProxy - /login?code=4ccb21df259c452e187421d46b984cf3&state=ioU1XC at position 1 of 12 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
DEBUG org.springframework.security.web.FilterChainProxy - /login?code=4ccb21df259c452e187421d46b984cf3&state=ioU1XC at position 2 of 12 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository - HttpSession returned null object for SPRING_SECURITY_CONTEXT
DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade#67c3c622. A new one will be created.
DEBUG org.springframework.security.web.FilterChainProxy - /login?code=4ccb21df259c452e187421d46b984cf3&state=ioU1XC at position 3 of 12 in additional filter chain; firing Filter: 'HeaderWriterFilter'
DEBUG org.springframework.security.web.header.writers.HstsHeaderWriter - Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher#681bd9a9
DEBUG org.springframework.security.web.FilterChainProxy - /login?code=4ccb21df259c452e187421d46b984cf3&state=ioU1XC at position 4 of 12 in additional filter chain; firing Filter: 'CsrfFilter'
DEBUG org.springframework.security.web.FilterChainProxy - /login?code=4ccb21df259c452e187421d46b984cf3&state=ioU1XC at position 5 of 12 in additional filter chain; firing Filter: 'LogoutFilter'
DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Request 'GET /login' doesn't match 'POST /logout
DEBUG org.springframework.security.web.FilterChainProxy - /login?code=4ccb21df259c452e187421d46b984cf3&state=ioU1XC at position 6 of 12 in additional filter chain; firing Filter: 'OAuth2ClientAuthenticationProcessingFilter'
DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/login'; against '/login'
DEBUG org.springframework.security.oauth2.client.filter.OAuth2ClientAuthenticationProcessingFilter - Request is to process authentication
DEBUG org.springframework.security.oauth2.client.filter.OAuth2ClientAuthenticationProcessingFilter - Authentication request failed: org.springframework.security.authentication.BadCredentialsException: Could not obtain access token
DEBUG org.springframework.security.oauth2.client.filter.OAuth2ClientAuthenticationProcessingFilter - Updated SecurityContextHolder to contain null Authentication
DEBUG org.springframework.security.oauth2.client.filter.OAuth2ClientAuthenticationProcessingFilter - Delegating to authentication failure handler org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler#1ed9d99c
DEBUG org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler - No failure URL set, sending 401 Unauthorized error
DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
DEBUG org.springframework.security.web.context.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed

I found the problem.
Problem: Since I'm using the WSO2 Identity Server in development mode, with an self-signed certificate, Java don't trust on it. And, in some HTTP request to WSO2 endpoints, connection fails by this invalid certificate.
Temporary solution: Turn off SSL checking in your development mode.
Solution: In a production environment, make sure that you WSO2 Identity Server has a valid certificate.

Spring Security JavaConfig with HTTP Basic and JSR-250: 403 Forbidden

How the Configuration should look like when using #RolesAllowed Annotation?
I don't need any auth at my webpage as there's no login or anything else. Only the admin panel should have an http basic auth.
This is my current code:
public class WebAppInitializer extends AbstractSecurityWebApplicationInitializer {
#Override
public void beforeSpringSecurityFilterChain(ServletContext servletContext) {
AnnotationConfigWebApplicationContext rootContext = new AnnotationConfigWebApplicationContext();
rootContext.getEnvironment().setDefaultProfiles("production");
rootContext.scan("com.xxx.config");
container.addListener(new ContextLoaderListener(rootContext));
ServletRegistration.Dynamic servlet = container.addServlet("DispatcherServlet", DispatcherServlet.class);
servlet.setInitParameter("contextConfigLocation", "");
servlet.setLoadOnStartup(1);
servlet.addMapping("/");
FilterRegistration charEncodingfilterReg = container.addFilter("CharacterEncodingFilter", CharacterEncodingFilter.class);
charEncodingfilterReg.addMappingForUrlPatterns(EnumSet.allOf(DispatcherType.class), true, "/*");
charEncodingfilterReg.setInitParameter("encoding", "UTF-8");
charEncodingfilterReg.setInitParameter("forceEncoding", "true");
}
}
#Controller
#RequestMapping("admin")
#RolesAllowed("admin")
public class AdminController {
// ...
}
#Configuration
#EnableWebSecurity
#EnableGlobalMethodSecurity(jsr250Enabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
#Autowired
private Environment env;
private static final Logger log = LoggerFactory.getLogger(SecurityConfig.class);
#Bean
#Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
#Override
protected void configure(HttpSecurity http) throws Exception {
http.httpBasic().realmName(env.getProperty("adminRealm"));
}
#Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
// Output: DEBUG SecurityConfig - Register credentials for roles user, admin: admin:admin
log.debug("Register credentials for roles user, admin: " + env.getProperty("adminUsername") + ":" + env.getProperty("adminPassword"));
auth.inMemoryAuthentication().withUser(env.getProperty("adminUsername")).password(env.getProperty("adminPassword")).roles("user", "admin");
}
}
But after the login with the correct credentials I'm just getting a HTTP 403.
Log while requesting the admin panel:
DEBUG AnonymousAuthenticationFilter - SecurityContextHolder not populated with anonymous token, as it already contained: 'org.springframework.security.authentication.UsernamePasswordAuthenticationToken#80a4fdc5: Principal: org.springframework.security.core.userdetails.User#586034f: Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_admin,ROLE_user; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#12afc: RemoteIpAddress: 127.0.0.1; SessionId: 5973DDB69FFF44B3B9AD6077DFD7B1ED; Granted Authorities: ROLE_admin, ROLE_user'
DEBUG FilterChainProxy - /resources/webjars/fancybox/jquery.fancybox.css at position 10 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter'
DEBUG FilterChainProxy - /resources/webjars/fancybox/jquery.fancybox.css at position 11 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
DEBUG FilterChainProxy - /resources/webjars/fancybox/jquery.fancybox.css reached end of additional filter chain; proceeding with original chain
DEBUG DispatcherServlet - DispatcherServlet with name 'DispatcherServlet' processing GET request for [/resources/webjars/fancybox/jquery.fancybox.css]
DEBUG DispatcherServlet - Taking snapshot of request attributes before include
DEBUG RequestMappingHandlerMapping - Looking up handler method for path /resources/webjars/fancybox/jquery.fancybox.css
DEBUG RequestMappingHandlerMapping - Did not find handler method for [/resources/webjars/fancybox/jquery.fancybox.css]
DEBUG SimpleUrlHandlerMapping - Matching patterns for request [/resources/webjars/fancybox/jquery.fancybox.css] are [/resources/**]
DEBUG SimpleUrlHandlerMapping - URI Template variables for request [/resources/webjars/fancybox/jquery.fancybox.css] are {}
DEBUG SimpleUrlHandlerMapping - Mapping [/resources/webjars/fancybox/jquery.fancybox.css] to HandlerExecutionChain with handler [org.springframework.web.servlet.resource.ResourceHttpRequestHandler#2f096210] and 1 interceptor
DEBUG DispatcherServlet - Last-Modified value for [/resources/webjars/fancybox/jquery.fancybox.css] is: -1
DEBUG ResourceHttpRequestHandler - Trying relative path [webjars/fancybox/jquery.fancybox.css] against base location: ServletContext resource [/resources/**]
DEBUG ResourceHttpRequestHandler - Found matching resource: ServletContext resource [/resources/webjars/fancybox/jquery.fancybox.css]
DEBUG ResourceHttpRequestHandler - Determined media type 'text/css' for ServletContext resource [/resources/webjars/fancybox/jquery.fancybox.css]
DEBUG DispatcherServlet - Null ModelAndView returned to DispatcherServlet with name 'DispatcherServlet': assuming HandlerAdapter completed request handling
DEBUG DispatcherServlet - Restoring snapshot of request attributes after include
DEBUG DispatcherServlet - Removing attribute [org.springframework.web.servlet.HandlerMapping.introspectTypeLevelMapping] after include
DEBUG DispatcherServlet - Removing attribute [org.springframework.web.servlet.DispatcherServlet.FLASH_MAP_MANAGER] after include
DEBUG DispatcherServlet - Removing attribute [org.springframework.web.servlet.DispatcherServlet.THEME_SOURCE] after include
DEBUG DispatcherServlet - Removing attribute [org.springframework.web.servlet.DispatcherServlet.THEME_RESOLVER] after include
DEBUG DispatcherServlet - Removing attribute [org.springframework.web.servlet.DispatcherServlet.CONTEXT] after include
DEBUG DispatcherServlet - Removing attribute [org.springframework.web.servlet.HandlerMapping.pathWithinHandlerMapping] after include
DEBUG DispatcherServlet - Removing attribute [org.springframework.web.servlet.DispatcherServlet.OUTPUT_FLASH_MAP] after include
DEBUG DispatcherServlet - Removing attribute [org.springframework.web.servlet.HandlerMapping.bestMatchingPattern] after include
DEBUG DispatcherServlet - Removing attribute [org.springframework.web.servlet.DispatcherServlet.LOCALE_RESOLVER] after include
DEBUG DispatcherServlet - Successfully completed request
DEBUG ExceptionTranslationFilter - Chain processed normally
DEBUG ProcessorDecorator - Applying processor: ro.isdc.wro.extensions.processor.css.LessCssProcessor#2377a016
DEBUG ProcessorDecorator - Applying processor: ro.isdc.wro.extensions.processor.css.LessCssProcessor#2377a016
DEBUG ProcessorDecorator - Applying processor: ro.isdc.wro.extensions.processor.css.LessCssProcessor#2377a016
DEBUG ProcessorDecorator - Applying processor: ro.isdc.wro.extensions.processor.css.LessCssProcessor#2377a016
DEBUG ProcessorDecorator - Applying processor: ro.isdc.wro.extensions.processor.css.LessCssProcessor#2377a016
DEBUG ProcessorDecorator - Applying processor: ro.isdc.wro.extensions.processor.css.LessCssProcessor#2377a016
DEBUG ProcessorDecorator - Skipping processor: ro.isdc.wro.extensions.processor.css.LessCssProcessor#2377a016
DEBUG BenchmarkProcessorDecorator - StopWatch '': running time (millis) = 0
-----------------------------------------
ms % Task name
-----------------------------------------
00000 � Using ro.isdc.wro.extensions.processor.css.LessCssProcessor#2377a016
DEBUG ProcessorDecorator - Applying processor: ro.isdc.wro.model.resource.processor.impl.css.CssUrlRewritingProcessor#76ec1185
...much wro4j stuff...
DEBUG BenchmarkProcessorDecorator - StopWatch '': running time (millis) = 2770
-----------------------------------------
ms % Task name
-----------------------------------------
02770 100% Using ro.isdc.wro.model.resource.processor.impl.css.JawrCssMinifierProcessor#2c8e5aa6
DEBUG DefaultSynchronizedCacheStrategyDecorator - found content: .clearfix{*zoom:1}.clearfix...
DEBUG DefaultSynchronizedCacheStrategyDecorator - Content to fingerprint: [.clearfix{*zoom:1}.clearfix...]
DEBUG AbstractDigesterHashStrategy - SHA1HashStrategy hash: 51eda04c354d73243fa387841c9d888bbeb4a201
DEBUG DefaultSynchronizedCacheStrategyDecorator - computed entry: hash: 51eda04c354d73243fa387841c9d888bbeb4a201
DEBUG ResourceBundleProcessor - ETag hash detected: "51eda04c354d73243fa387841c9d888bbeb4a201". Sending 304 status code
DEBUG WroFilter - Disable Cache is true. Destroying model...
DEBUG DefaultWroModelFactoryDecorator - Destroy model
DEBUG DefaultResourceAuthorizationManager - clear.
DEBUG DefaultResourceAuthorizationManager - clear.
DEBUG ExceptionTranslationFilter - Chain processed normally
DEBUG SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
DEBUG FilterChainProxy - /resources/img/logo.png at position 1 of 11 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
DEBUG FilterChainProxy - /resources/img/logo.png at position 2 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
DEBUG HttpSessionSecurityContextRepository - Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'org.springframework.security.core.context.SecurityContextImpl#80a4fdc5: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken#80a4fdc5: Principal: org.springframework.security.core.userdetails.User#586034f: Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_admin,ROLE_user; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#12afc: RemoteIpAddress: 127.0.0.1; SessionId: 5973DDB69FFF44B3B9AD6077DFD7B1ED; Granted Authorities: ROLE_admin, ROLE_user'
DEBUG FilterChainProxy - /resources/img/logo.png at position 3 of 11 in additional filter chain; firing Filter: 'HeaderWriterFilter'
DEBUG HstsHeaderWriter - Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher#51879f03
DEBUG FilterChainProxy - /resources/img/logo.png at position 4 of 11 in additional filter chain; firing Filter: 'CsrfFilter'
DEBUG FilterChainProxy - /resources/img/logo.png at position 5 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
DEBUG AntPathRequestMatcher - Checking match of request : '/resources/img/logo.png'; against '/logout'
DEBUG FilterChainProxy - /resources/img/logo.png at position 6 of 11 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
DEBUG FilterChainProxy - /resources/img/logo.png at position 7 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
DEBUG FilterChainProxy - /resources/img/logo.png at position 8 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
DEBUG FilterChainProxy - /resources/img/logo.png at position 9 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
DEBUG AnonymousAuthenticationFilter - SecurityContextHolder not populated with anonymous token, as it already contained: 'org.springframework.security.authentication.UsernamePasswordAuthenticationToken#80a4fdc5: Principal: org.springframework.security.core.userdetails.User#586034f: Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_admin,ROLE_user; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#12afc: RemoteIpAddress: 127.0.0.1; SessionId: 5973DDB69FFF44B3B9AD6077DFD7B1ED; Granted Authorities: ROLE_admin, ROLE_user'
DEBUG FilterChainProxy - /resources/img/logo.png at position 10 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter'
DEBUG FilterChainProxy - /resources/img/logo.png at position 11 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
DEBUG FilterChainProxy - /resources/img/logo.png reached end of additional filter chain; proceeding with original chain
DEBUG DispatcherServlet - DispatcherServlet with name 'DispatcherServlet' processing GET request for [/resources/img/logo.png]
DEBUG RequestMappingHandlerMapping - Looking up handler method for path /resources/img/logo.png
DEBUG RequestMappingHandlerMapping - Did not find handler method for [/resources/img/logo.png]
DEBUG SimpleUrlHandlerMapping - Matching patterns for request [/resources/img/logo.png] are [/resources/**]
DEBUG SimpleUrlHandlerMapping - URI Template variables for request [/resources/img/logo.png] are {}
DEBUG SimpleUrlHandlerMapping - Mapping [/resources/img/logo.png] to HandlerExecutionChain with handler [org.springframework.web.servlet.resource.ResourceHttpRequestHandler#2f096210] and 1 interceptor
DEBUG DispatcherServlet - Last-Modified value for [/resources/img/logo.png] is: -1
DEBUG ResourceHttpRequestHandler - Trying relative path [img/logo.png] against base location: ServletContext resource [/resources/**]
DEBUG ResourceHttpRequestHandler - Found matching resource: ServletContext resource [/resources/img/logo.png]
DEBUG ResourceHttpRequestHandler - Determined media type 'image/png' for ServletContext resource [/resources/img/logo.png]
DEBUG DispatcherServlet - Null ModelAndView returned to DispatcherServlet with name 'DispatcherServlet': assuming HandlerAdapter completed request handling
DEBUG DispatcherServlet - Successfully completed request
DEBUG ExceptionTranslationFilter - Chain processed normally
DEBUG SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
DEBUG FilterChainProxy - /resources/img/eagle.png at position 1 of 11 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
DEBUG FilterChainProxy - /resources/img/eagle.png at position 2 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
DEBUG HttpSessionSecurityContextRepository - Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'org.springframework.security.core.context.SecurityContextImpl#80a4fdc5: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken#80a4fdc5: Principal: org.springframework.security.core.userdetails.User#586034f: Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_admin,ROLE_user; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#12afc: RemoteIpAddress: 127.0.0.1; SessionId: 5973DDB69FFF44B3B9AD6077DFD7B1ED; Granted Authorities: ROLE_admin, ROLE_user'
DEBUG FilterChainProxy - /resources/img/eagle.png at position 3 of 11 in additional filter chain; firing Filter: 'HeaderWriterFilter'
DEBUG HstsHeaderWriter - Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher#51879f03
DEBUG FilterChainProxy - /resources/img/eagle.png at position 4 of 11 in additional filter chain; firing Filter: 'CsrfFilter'
DEBUG FilterChainProxy - /resources/img/eagle.png at position 5 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
DEBUG AntPathRequestMatcher - Checking match of request : '/resources/img/eagle.png'; against '/logout'
DEBUG FilterChainProxy - /resources/img/eagle.png at position 6 of 11 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
DEBUG FilterChainProxy - /resources/img/eagle.png at position 7 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
DEBUG FilterChainProxy - /resources/img/eagle.png at position 8 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
DEBUG FilterChainProxy - /resources/img/eagle.png at position 9 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
DEBUG AnonymousAuthenticationFilter - SecurityContextHolder not populated with anonymous token, as it already contained: 'org.springframework.security.authentication.UsernamePasswordAuthenticationToken#80a4fdc5: Principal: org.springframework.security.core.userdetails.User#586034f: Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_admin,ROLE_user; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#12afc: RemoteIpAddress: 127.0.0.1; SessionId: 5973DDB69FFF44B3B9AD6077DFD7B1ED; Granted Authorities: ROLE_admin, ROLE_user'
DEBUG FilterChainProxy - /resources/img/eagle.png at position 10 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter'
DEBUG FilterChainProxy - /resources/img/eagle.png at position 11 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
DEBUG FilterChainProxy - /resources/img/eagle.png reached end of additional filter chain; proceeding with original chain
DEBUG DispatcherServlet - DispatcherServlet with name 'DispatcherServlet' processing GET request for [/resources/img/eagle.png]
DEBUG RequestMappingHandlerMapping - Looking up handler method for path /resources/img/eagle.png
DEBUG FilterChainProxy - /resources/webjars/font/fontawesome-webfont.woff?v=3.2.1 at position 1 of 11 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
DEBUG FilterChainProxy - /resources/webjars/font/fontawesome-webfont.woff?v=3.2.1 at position 2 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
DEBUG HttpSessionSecurityContextRepository - Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'org.springframework.security.core.context.SecurityContextImpl#80a4fdc5: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken#80a4fdc5: Principal: org.springframework.security.core.userdetails.User#586034f: Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_admin,ROLE_user; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#12afc: RemoteIpAddress: 127.0.0.1; SessionId: 5973DDB69FFF44B3B9AD6077DFD7B1ED; Granted Authorities: ROLE_admin, ROLE_user'
DEBUG FilterChainProxy - /resources/webjars/font/fontawesome-webfont.woff?v=3.2.1 at position 3 of 11 in additional filter chain; firing Filter: 'HeaderWriterFilter'
DEBUG HstsHeaderWriter - Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher#51879f03
DEBUG FilterChainProxy - /resources/webjars/font/fontawesome-webfont.woff?v=3.2.1 at position 4 of 11 in additional filter chain; firing Filter: 'CsrfFilter'
DEBUG FilterChainProxy - /resources/webjars/font/fontawesome-webfont.woff?v=3.2.1 at position 5 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
DEBUG AntPathRequestMatcher - Checking match of request : '/resources/webjars/font/fontawesome-webfont.woff'; against '/logout'
DEBUG FilterChainProxy - /resources/webjars/font/fontawesome-webfont.woff?v=3.2.1 at position 6 of 11 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
DEBUG FilterChainProxy - /resources/webjars/font/fontawesome-webfont.woff?v=3.2.1 at position 7 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
DEBUG FilterChainProxy - /resources/webjars/font/fontawesome-webfont.woff?v=3.2.1 at position 8 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
DEBUG RequestMappingHandlerMapping - Did not find handler method for [/resources/img/eagle.png]
DEBUG FilterChainProxy - /resources/webjars/font/fontawesome-webfont.woff?v=3.2.1 at position 9 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
DEBUG SimpleUrlHandlerMapping - Matching patterns for request [/resources/img/eagle.png] are [/resources/**]
DEBUG AnonymousAuthenticationFilter - SecurityContextHolder not populated with anonymous token, as it already contained: 'org.springframework.security.authentication.UsernamePasswordAuthenticationToken#80a4fdc5: Principal: org.springframework.security.core.userdetails.User#586034f: Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_admin,ROLE_user; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#12afc: RemoteIpAddress: 127.0.0.1; SessionId: 5973DDB69FFF44B3B9AD6077DFD7B1ED; Granted Authorities: ROLE_admin, ROLE_user'
DEBUG SimpleUrlHandlerMapping - URI Template variables for request [/resources/img/eagle.png] are {}
DEBUG FilterChainProxy - /resources/webjars/font/fontawesome-webfont.woff?v=3.2.1 at position 10 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter'
DEBUG SimpleUrlHandlerMapping - Mapping [/resources/img/eagle.png] to HandlerExecutionChain with handler [org.springframework.web.servlet.resource.ResourceHttpRequestHandler#2f096210] and 1 interceptor
DEBUG FilterChainProxy - /resources/webjars/font/fontawesome-webfont.woff?v=3.2.1 at position 11 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
DEBUG DispatcherServlet - Last-Modified value for [/resources/img/eagle.png] is: -1
DEBUG FilterChainProxy - /resources/webjars/font/fontawesome-webfont.woff?v=3.2.1 reached end of additional filter chain; proceeding with original chain
DEBUG ResourceHttpRequestHandler - Trying relative path [img/eagle.png] against base location: ServletContext resource [/resources/**]
DEBUG DispatcherServlet - DispatcherServlet with name 'DispatcherServlet' processing GET request for [/resources/webjars/font/fontawesome-webfont.woff]
DEBUG ResourceHttpRequestHandler - Found matching resource: ServletContext resource [/resources/img/eagle.png]
DEBUG ResourceHttpRequestHandler - Determined media type 'image/png' for ServletContext resource [/resources/img/eagle.png]
DEBUG DispatcherServlet - Null ModelAndView returned to DispatcherServlet with name 'DispatcherServlet': assuming HandlerAdapter completed request handling
DEBUG DispatcherServlet - Successfully completed request
DEBUG ExceptionTranslationFilter - Chain processed normally
DEBUG SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
DEBUG RequestMappingHandlerMapping - Looking up handler method for path /resources/webjars/font/fontawesome-webfont.woff
DEBUG RequestMappingHandlerMapping - Did not find handler method for [/resources/webjars/font/fontawesome-webfont.woff]
DEBUG SimpleUrlHandlerMapping - Matching patterns for request [/resources/webjars/font/fontawesome-webfont.woff] are [/resources/**]
DEBUG SimpleUrlHandlerMapping - URI Template variables for request [/resources/webjars/font/fontawesome-webfont.woff] are {}
DEBUG SimpleUrlHandlerMapping - Mapping [/resources/webjars/font/fontawesome-webfont.woff] to HandlerExecutionChain with handler [org.springframework.web.servlet.resource.ResourceHttpRequestHandler#2f096210] and 1 interceptor
DEBUG DispatcherServlet - Last-Modified value for [/resources/webjars/font/fontawesome-webfont.woff] is: -1
DEBUG ResourceHttpRequestHandler - Trying relative path [webjars/font/fontawesome-webfont.woff] against base location: ServletContext resource [/resources/**]
DEBUG ResourceHttpRequestHandler - Found matching resource: ServletContext resource [/resources/webjars/font/fontawesome-webfont.woff]
DEBUG ResourceHttpRequestHandler - Determined media type 'application/x-font-woff' for ServletContext resource [/resources/webjars/font/fontawesome-webfont.woff]
DEBUG DispatcherServlet - Null ModelAndView returned to DispatcherServlet with name 'DispatcherServlet': assuming HandlerAdapter completed request handling
DEBUG DispatcherServlet - Successfully completed request
DEBUG ExceptionTranslationFilter - Chain processed normally
DEBUG SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
Permissions:
$ cd ~/workspace/xxxxx/target/classes && ls -l . && ls -l META-INF && ls -l META-INF/services && ls -l properties && ls -l properties/common && ls -l properties/development
insgesamt 76
drwxrwxr-x 4 danny danny 4096 Nov 12 17:57 com
-rw-rw-r-- 1 danny danny 19074 Nov 12 17:57 import.sql
-rw-rw-r-- 1 danny danny 519 Nov 14 22:16 logback.xml
drwxrwxr-x 3 danny danny 4096 Nov 12 17:57 META-INF
drwxrwxr-x 5 danny danny 4096 Nov 12 17:57 properties
-rw-rw-r-- 1 danny danny 2215 Nov 12 17:57 tiles.xml
-rw-rw-r-- 1 danny danny 2444 Nov 12 17:57 wro.xml
insgesamt 4
drwxrwxr-x 2 danny danny 4096 Nov 12 17:57 services
insgesamt 24
-rw-rw-r-- 1 danny danny 34 Nov 12 17:57 javax.servlet.ServletContainerInitializer
-rw-rw-r-- 1 danny danny 57 Nov 12 17:57 ro.isdc.wro.model.spi.ModelFactoryProvider
insgesamt 12
drwxrwxr-x 2 danny danny 4096 Nov 12 17:57 common
drwxrwxr-x 2 danny danny 4096 Nov 12 17:57 development
drwxrwxr-x 2 danny danny 4096 Nov 12 17:57 production
insgesamt 48
-rw-rw-r-- 1 danny danny 737 Nov 12 17:57 application.properties
-rw-rw-r-- 1 danny danny 57 Nov 12 17:57 hibernate.properties
-rw-rw-r-- 1 danny danny 88 Nov 12 17:57 jdbc.properties
-rw-rw-r-- 1 danny danny 125 Nov 12 17:57 wro.properties
insgesamt 48
-rw-rw-r-- 1 danny danny 142 Nov 12 17:57 application.properties
-rw-rw-r-- 1 danny danny 53 Nov 12 17:57 hibernate.properties
-rw-rw-r-- 1 danny danny 35 Nov 12 17:57 jdbc.properties
-rw-rw-r-- 1 danny danny 17 Nov 12 17:57 wro.properties

As you are using the default authentication manager your rolenames must be prefixed with "ROLE_" to be matched.

Resources