Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
147 views
in Technique[技术] by (71.8m points)

java - Spring ignores permitAll rule

I have the following WebSecurity configuration:

        @Autowired
        private ApplicationAuthenticationProvider appProvider;
        
        @Bean
        @Qualifier("apiAuthenticationFilter")
        public TokenAuthenticationFilter apiAuthenticationFilter(TokenAuthenticationFailureHandler failureHandler,
                TokenAuthenticationSuccessHandler successHandler) throws Exception {
            TokenAuthenticationFilter filter = new TokenAuthenticationFilter();
            filter.setAuthenticationManager(authenticationManagerBean());
            filter.setAuthenticationFailureHandler(failureHandler);
            filter.setAuthenticationSuccessHandler(successHandler);
            return filter;
        }
        
        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http.antMatcher("/api/**")
                .authorizeRequests()
                .antMatchers("/api/oauth2/token", "/api/oauth2/application/token").permitAll()
                .antMatchers("/api/internal**").hasAuthority("READ_ALL")
                .anyRequest().authenticated()
                .and()
                .addFilterBefore(apiAuthenticationFilter(null, null), UsernamePasswordAuthenticationFilter.class)
                .authenticationProvider(this.appProvider)
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and()
                .exceptionHandling()
                .authenticationEntryPoint(new HttpStatusEntryPoint(HttpStatus.FORBIDDEN))
                .and()
                .cors().disable()
                .formLogin().disable()
                .csrf().disable()
                .logout().disable();
        }

I tried accessing http://localhost:8080/api/oauth2/token?client_id=...&other_query_params=param, but instead of accessing that page, like configured here:

                .antMatchers("/oauth2/token", "/oauth2/application/token").permitAll()

It calls the filter chain and the filter added here:

                .addFilterBefore(apiAuthenticationFilter(null, null), UsernamePasswordAuthenticationFilter.class)

which rejects my request cause of a missing token, but it should be allowed instead.

That is what my log says:

26-01-2021 DEBUG 17744 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/api/oauth2/token'; against '/api/**'
26-01-2021 DEBUG 17744 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy        : /api/oauth2/token?client_id=123&client_secret=secret&code=code&grant_type=authorization_code at position 1 of 10 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
26-01-2021 DEBUG 17744 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy        : /api/oauth2/token?client_id=123&client_secret=secret&code=code&grant_type=authorization_code at position 2 of 10 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
26-01-2021 DEBUG 17744 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy        : /api/oauth2/token?client_id=123&client_secret=secret&code=code&grant_type=authorization_code at position 3 of 10 in additional filter chain; firing Filter: 'HeaderWriterFilter'
26-01-2021 DEBUG 17744 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy        : /api/oauth2/token?client_id=123&client_secret=secret&code=code&grant_type=authorization_code at position 4 of 10 in additional filter chain; firing Filter: 'TokenAuthenticationFilter'
26-01-2021 DEBUG 17744 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/api/oauth2/token'; against '/api/**'
26-01-2021 DEBUG 17744 --- [nio-8080-exec-1] d.t.o.a.a.TokenAuthenticationFilter      : Request is to process authentication
26-01-2021  INFO 17744 --- [nio-8080-exec-1] d.t.o.a.a.TokenAuthenticationFilter      : Invoked attempAuthentication
26-01-2021 DEBUG 17744 --- [nio-8080-exec-1] d.t.o.a.a.TokenAuthenticationFilter      : Authentication request failed: org.springframework.security.authentication.AuthenticationServiceException: Invalid token submitted: null
question from:https://stackoverflow.com/questions/65904000/spring-ignores-permitall-rule

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

Ok, I fixed the bug right now, it was a logical mistake. I want to explain what the problem was.

Since I wanted to use oauth2 authentication in my application, I added a filter called TokenAuthenticationFilter to get the Authorization Header and authenticate using the credentials in that header. But my filter did not limit the cases where to apply. So all requests, also the "permitAll" requests were going through that filter and rejected cause of no authentication. So I changed my code that the filter only applies if the "Authorization" Header is set and now everything works.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...