#spring auth doesnt work

1 messages · Page 1 of 1 (latest)

acoustic horizon
# 
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig {
    @Bean
    public SecurityFilterChain getSecurityFilterChain(HttpSecurity http, AuthenticationConfiguration authConfig) throws Exception {
        return http.httpBasic()
                .disable()
                .csrf().disable()
                .sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and()
                .addFilter(new JWTAuthFilter()).build();
    }
}

@PostMapping("/test")
    @ResponseStatus(HttpStatus.CREATED)
    @Secured({})
    public String foo(@AuthenticationPrincipal Account account){
        return account.getUsername();
    }

Auth does not work

rancid egretBOT
#

<@&1004656351647117403> please have a look, thanks.

rancid egretBOT
#

While you are waiting for getting help, here are some tips to improve your experience:

Code is much easier to read if posted with syntax highlighting and proper formatting.

If nobody is calling back, that usually means that your question was not well asked and hence nobody feels confident enough answering. Try to use your time to elaborate, provide details, context, more code, examples and maybe some screenshots. With enough info, someone knows the answer for sure.

Don't forget to close your thread using the command </help-thread close:1027500463647621170> when your question has been answered, thanks.

manic night
#

What are you getting? Is there any error , warnings?

acoustic horizon
#

The endpoint is not secured

rancid egretBOT
#

spring auth doesnt work

#

Changed the title to spring auth doesnt work.

tardy basin
#

Details please

#

full error mesaage and screenshots and whatever else u have

acoustic horizon
#

There is no error. I expect the /test endpoint to require authentication to access it but this isn't happening

tight flame
#

For reference, I wanted all the requests apart from the one's I declared to be authenticated. So I used anyRequest(). authenticated () after I allowed certain requests.

IMG-20230909-WA0008.jpg
acoustic horizon
#

But with this approach it is really easy to secure endpoint or make it public by mistake
I would prefer to do sth like this:

@PostMapping("/test")
@ResponseStatus(HttpStatus.CREATED)
@RequireAuth
public String foo(@AuthenticationPrincipal Account account){
    return account.getUsername();
}
rancid egretBOT
tight flame
#

oh mb, this was a project done to learn spring security. So def not the most suitable way to do it.

acoustic horizon
# 
http.httpBasic()
                .disable()
                .csrf().disable()
                .sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and()
                .authorizeHttpRequests(

                )
                .requestMatchers(new AntPathRequestMatcher("/images/test")).authenticated()
                .anyRequest().permitAll()
                .and()
                .addFilterBefore(jwtAuthFilter, UsernamePasswordAuthenticationFilter.class)
                .build();
rancid egretBOT
acoustic horizon
#

filter is ran for every endpoint

#

instead for only /images/test

tight flame
#

so you should be able to access all the endpoints except /images/test without authentication?

acoustic horizon
#

yes

acoustic horizon
#

I fixed it

#

I misunderstood the purpose of filter