Base on this Answer, I'm trying to secure everything but the login page in my spring app.
So I'm using this Java configuration files for OAuth2
The extends for the ResourceServerConfigurerAdapter:
#Override
public void configure(final HttpSecurity http) throws Exception {
http
.requestMatchers()
.antMatchers("/**")
.and()
.authorizeRequests()
.anyRequest()
.authenticated()
.antMatchers("/login")
.permitAll()
The extends for OAuth2SsoConfigurerAdapter {
#Override
public void match(RequestMatchers matchers) {
matchers.antMatchers("/login");
}
#Override
public void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest()
.authenticated()
}
So, what I looking for is to have a http 401 for every request but for /login.
If a login request is perform the #EnableOAuth2Sso annotation would be used to redirect it to the OAuth2 server.
Update 1
After changing the order of the filter ResourceServerConfigurerAdapter, the /login request is not found.
http
.requestMatchers()
.antMatchers("/**")
.and()
.authorizeRequests()
.antMatchers("/login")
.permitAll()
.anyRequest()
.authenticated()
This request would be Unauthorized because any token is provided
~/ http 401 Unauthorized (good)
~/resource http 401 Unauthorized (good)
But the login page is not found:
~/login http 404 Not Found (bad)
The correct functionality should be a http 302 redirection to the OAuth2 server when the ~/login is hit.
Related
As the title says Spring security's ant matcher's permit all doesn't work at all here's the method for it
#Override
public void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.antMatchers( "/css/*", "/js/*", "index").permitAll()
.antMatchers(HttpMethod.POST, "/api/v1/user/auth/register").permitAll()
.antMatchers("/get", "/delete/*", "/api/v1/user/auth/**").hasRole(ADMIN.name())
.anyRequest()
.authenticated()
.and()
.httpBasic();
}
it should only allow the url ending with /get to be accessed by user that has admin role but I can access it without it (USER role) is there anything I'm doing wrong?
I tried changing the endpoint but didn't succeed at all
I was searching a lot to find solution of my problem but nothing helps.
I am tryng to set up my Spring Security as:
#Override
public void configure(HttpSecurity http) throws Exception {
http
.httpBasic()
.and()
.authorizeRequests()
.antMatchers(HttpMethod.POST, "/shapes").hasAnyAuthority("USER")
.antMatchers(HttpMethod.PUT, "/shapes").hasAnyAuthority("USER")
.antMatchers(HttpMethod.GET, "/shapes").permitAll()
.antMatchers("/users", "/shapes/history").permitAll()
.anyRequest().authenticated()
.and()
.cors()
.and()
.csrf()
.disable();
}
and now:
every request on endpoint /users is open, is not secured
#PostMapping("/shapes") is secured and returns 401 unauthorized
#GetMapping is secured too - it returns 401 error if I not add username and password <- there is problem of that question
/shapes/history is secured too
so the problem has to be here somewhere:
.antMatchers(HttpMethod.POST, "/shapes").hasAnyAuthority("USER")
.antMatchers(HttpMethod.PUT, "/shapes").hasAnyAuthority("USER")
.antMatchers(HttpMethod.GET, "/shapes").permitAll()
I won't to change endpoints, I would like to have #GetMapping and #PostMapping on the /shapes.
I have a question concerning spring and web flux.
I have a spring project with spring security and MVC as dependencies.
This application accepts requests and check authentication using the session cookie.
For all the requests starting with "/api/" a failed authentication results in a 401 response, so that can be intercepted by the frontend as such.
For all the requests different from "/api/**" a failed authentication results in the server returning a login page so that the user can login.
This is the SecuritConfig class:
#Configuration
#EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest()
.authenticated()
.and()
.formLogin()
.and()
.csrf()
.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
.and()
.exceptionHandling()
.defaultAuthenticationEntryPointFor(new
HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED),
new AntPathRequestMatcher("/api/**"))
.and()
.cors();
}
}
Now, I am trying to achieve the same thing using web flux. With web flux the SecurityConfig is different, I can setup almost all the configs that I have in the old class but there is no equivalent for:
defaultAuthenticationEntryPointFor(new
HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED),
new AntPathRequestMatcher("/api/**"))
My new security config look like:
#Configuration
#EnableWebFluxSecurity
public class SecurityConfig {
#Bean
public SecurityWebFilterChain filterChain(ServerHttpSecurity http) {
return http
.authorizeExchange()
.pathMatchers("/login/**")
.permitAll()
.anyExchange()
.authenticated()
.and()
.formLogin()
.and()
.csrf()
.disable()
.exceptionHandling()
.authenticationEntryPoint(new
HttpStatusServerEntryPoint(HttpStatus.UNAUTHORIZED))
.and()
.build();
}
}
But in this case I only get 401 for all the requests that fail authentication.
Does anybody know how to achieve the same behavior with web flux?
Thank you
Need to customise the default oauth2 authentication server /login page to user defined page along with passing query parameters
I tried by using this link https://www.javainuse.com/spring/boot_form_security_custom_login
protected void configure(HttpSecurity http) throws Exception {
http.requestMatchers()
.antMatchers("/login","/oauth/authorize")
.and()
.authorizeRequests()
.anyRequest()
.authenticated()
.and()
.formLogin()
.permitAll();
}
I got the following setup for my security:
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/admin/**", "/registration/**").access("hasRole('ROLE_USER') or hasRole('ROLE_ADMIN')")
.anyRequest().permitAll()
.and()
.requiresChannel().anyRequest().requiresSecure()
.and()
.exceptionHandling().accessDeniedPage("/denied")
.and()
.formLogin()
.loginPage("/login")
.failureUrl("/error-login");
}
Now problem is when i deploy it on production server when i try open demo.com or http://demo.com or combination of such, i get too many redirects and it fails.
On Chrome: ERR_TOO_MANY_REDIRECTS
On Firefox: The page isn't redirecting properly
In other words it redirects until it fails.
Any advice on what could be wrong here or what i could do to figure out the problem?
EDIT 1:
Controller request
#Controller
public class BaseController {
#RequestMapping(value = {"/", "/index"})
public String home() {
return "index";
}
}
Log: No entries (other than standard bootup sequence)
You have to specify port mapping in your WebSecurityConfigurer with the corresponding HTTP and HTTPS ports of your application:
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/admin/**", "/registration/**").access("hasRole('ROLE_USER') or hasRole('ROLE_ADMIN')")
.anyRequest().permitAll()
.and()
.requiresChannel().anyRequest().requiresSecure()
.and()
.portMapper()
.http(8080).mapsTo(8443);
.and()
.exceptionHandling().accessDeniedPage("/denied")
.and()
.formLogin()
.loginPage("/login")
.failureUrl("/error-login");
}
http.portMapper().http(8080).mapsTo(8443) maps your HTTP 8080 port to HTTPS 8443 port to correctly perform the redirect.
Read more:
https://myshittycode.com/2014/06/12/spring-security-forcing-urls-to-use-https/
http://www.rmarcello.it/spring-security-aumomatic-redirect-on-https/