#My Security Configuration blocks all /GET requests to any page. Any idea why?

1 messages · Page 1 of 1 (latest)

vestal quartz
# 

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.springframework.beans.factory.annotation.Autowired;
import com.example.demo.SecurityConfiguration.JwtAuthenticationFilter;

@Configuration
public class SecurityConfiguration {
    @Autowired
    private JwtAuthenticationFilter jwtAuthenticationFilter;

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http
                .csrf(csrf -> csrf.disable())
                .authorizeHttpRequests(auth -> auth
                        .requestMatchers("/api/login", "/api/signup").permitAll()
                )
                .addFilterBefore(jwtAuthenticationFilter,
                        UsernamePasswordAuthenticationFilter.class);

        return http.build();
    }
}```
bright jacinthBOT
#

<@&1004656351647117403> please have a look, thanks.

light plinth
#

AFAIK, by default spring security will treat all endpoint accesses as .authenticated(), which in your case would mean that all paths aside from /api/login and /api/signup would at least require some kind auth (in your case user/password).
To allow access for all GET requests WITHOUT auth, you may want to add .requestMatchers(HttpMethod.GET).permitAll() as well
(Please someone CMIIW)

#

also, it's better to also explicitly specify at least .anyRequest().authenticated() or .anyRequest().permitAll() as you see fit to avoid confusions.

#

please also note that the rule ordering MATTERS. whichever rules came first would be prioritized over the next.
which means if for example you put .anyRequest().authenticated() as a first rule, it wouldn't matter whatever rules you provide next, they'd all be swallowed by the first rule

vestal quartz
#

But still, the problem is, it still says that access is denied when i go to/login or /signup

light plinth
#

are you sure you're accessing /api/login and not /login?

#

because the endpoint u set in the config is for specifically /api/login

#

also, I'm not sure what ur trying to achieve by adding both jwt auth and username/password together in addFilterBefore.

#

do you want the users to be able to login with either token or basic (user/pass) or what?

vestal quartz
#

I am practicing jwt

#

Actually it is my first time implementing login/signup on my own

#

My idea is:
Through jwttoken extract username then through username extract password from db via my own custom module

true otter
# vestal quartz But still, the problem is, it still says that access is denied when i go to/logi...

I had this same problem too. To my knowledge (CMIIW), the filter you added with addFilterBefore will still nbe run even if you use permitAll(). How I solved it (which may not be optimal, but worked for me so far) was to add an if statement in my filter that would automatically return a successful login if the path matched. ie (in your filter):

if ((request.getRequestURI().startsWith("/api/") {
  filterChain.doFilter(request, response);
  return;
}

Something like this should work

bright jacinthBOT
vestal quartz
true otter
vestal quartz
# true otter could you send your filter?

Okay, tomorrow.
I have also problem with the Lambock

Apparently java does not see the getters, setters or lambock as a whole since i get "unknown method" when i invoke getUsername()

#

Dependency is there

#

Idk what is wrong

vestal quartz
#

@true otter here ```
@Component
public class JwtAuthenticationFilter extends OncePerRequestFilter {
@Autowired
private JwtUtils jwtService;
@Autowired
private UserDetailsService userDetailsService;
@Override
protected void doFilterInternal(
HttpServletRequest request,
HttpServletResponse response,
FilterChain filterChain
) throws ServletException, IOException {
String path = request.getRequestURI();
if (path.equals("/api/login") || path.equals("/api/signup")) {
filterChain.doFilter(request, response);
return;
}
String authHeader = request.getHeader("Authorization");
String jwt;
String username;
if (authHeader == null || !authHeader.startsWith("Bearer ")) {
filterChain.doFilter(request, response);
return;
}

    jwt = authHeader.substring(7);
    try {
        username = jwtService.extractUsername(jwt);
    } catch (Exception e) {
        filterChain.doFilter(request, response);
        return;
    }

    if (username != null && SecurityContextHolder.getContext().getAuthentication() == null) {

        UserDetails userDetails = userDetailsService.loadUserByUsername(username);
        if (jwtService.isTokenValid(jwt, userDetails.getUsername())) {

            UsernamePasswordAuthenticationToken authToken =
                    new UsernamePasswordAuthenticationToken(
                           userDetails,
                            null,
                            userDetails.getAuthorities()
                    );

            authToken.setDetails(
                    new WebAuthenticationDetailsSource().buildDetails(request)
            );

            SecurityContextHolder.getContext().setAuthentication(authToken);
        }
    }

    filterChain.doFilter(request, response);
}

} ```

bright jacinthBOT
vestal quartz
#

Anyone can help pls?

fickle rock
#

I don't have specific knowledge on the specific Spring Security issue, but for JWTs you usually assume the user is authenticated as JWTs are signed and you know the server emitted it.

#

I guess it would make more sense that you issue the JWT after the login and not performing the login from a username in a JWT + password in body request

vestal quartz
#

How would the jwt keep information related to the user?

upper glen
fickle rock
vestal quartz
fickle rock
#

JWTs are often used to avoid having to keep sessions on the backend, as you issue a token and don't have to worry about when the session expires because the token will have that information

#

Although keep in mind, you don't need JWTs to have what I described earlier

#

People misuse JWTs a lot

vestal quartz
fickle rock
#

Is this just one service?

#

Why not a simple cookie session?

#

Users enters password and username on a form, POST, on the backend you validate username and password, if it's correct you start a session (you will need some backend place to keep these) and you send a cookie to the user that identifies the session

#

Another even more basic authentication method is to require the Authentication header with Basic username:password on every request

vestal quartz
#

Services*

fickle rock
#

Then JWTs is actually appropriate

vestal quartz
#

I still don't know why it says access denied to "/login" and signup even though i wrote an exception for those two in my filter?

hollow harbor
#

could you add "/login" with in your requestMatchers ? like .requestMatchers("/api/login","/login", "/api/signup").permitAll()

#

also suggest you to check if your system works before enabling spring security , ( i mean maybe there is another problem on your get/post request controllers but you missed them ) so first just disable springsecurity and check if everthing working or not then enable it

vestal quartz
bright jacinthBOT
vestal quartz
#

it works with the "/**" as a path though