Spring Boot Security Hell | Java Community | Help. Code. Learn. | Page 1

idle yew Jan 2, 2025, 4:20 PM

#

Currently I am building some web app. The problem is that I have a login method dedicated for anyone to use:

@PostMapping("/login")
public @NotNull ResponseEntity<@Nullable String> requestNormalLogin(@NotNull @RequestBody UserLoginModel model)
{
    throw new ResponseStatusException(HttpStatus.FAILED_DEPENDENCY);
    /*log.info("The server has recognized an incoming normal login request login name {}.", model.loginName());
    return getService().requestLogin(model).map((token) ->
    {
        String jwt = token.jwt();
        return ResponseEntity.ok(jwt);
    }).orElseThrow(this::unauthorizedThrowable);*/
}

As it can be seen I've directly told it to throw FAILED_DEPENDENCY (just as a test), because my security config:

csrf.addFilterBefore(jwtFilter, clazz).authorizeHttpRequests(auth ->
{
    auth.requestMatchers(HttpMethod.POST, "/api/v1/user/login").anonymous();
    auth.requestMatchers(HttpMethod.GET,"/api/v1/user/logout").permitAll();
    auth.anyRequest().authenticated();
});

always makes it return 403 when an exception occurred. No matter what exception is thrown, it answers with a 403 when using the endpoint "/api/v1/user/login". When no error is thrown it works, so I don't know what is going on...

outer oliveBOT Jan 2, 2025, 4:20 PM

#

⌛ This post has been reserved for your question.

Hey @idle yew! Please use /close or the Close Post button above when your problem is solved. Please remember to follow the help guidelines. This post will be automatically marked as dormant after 300 minutes of inactivity.

TIP: Narrow down your issue to simple and precise questions to maximize the chance that others will reply in here.

still shale Jan 2, 2025, 5:56 PM

#

My guess is CSRF

#

Do you include CSRF tokens in the request?

still shale Jan 2, 2025, 5:58 PM

#

idle yew Currently I am building some web app. The problem is that I have a login method ...

.

idle yew Jan 2, 2025, 6:03 PM

#

I do not

#

Wait

#

@Slf4j @Order(1) @AllArgsConstructor @Getter(AccessLevel.PROTECTED)
public class JwtAuthorizationFilter extends OncePerRequestFilter
{
    private final UserService userService;

    @Override protected void doFilterInternal(@NotNull HttpServletRequest request,@NotNull HttpServletResponse response, @NotNull FilterChain filterChain) throws ServletException, IOException
    {
        try
        {
            // first check header then cookies
            String token = checkHeader(request).or(() -> checkCookies(request)).orElse("");
            getUserService().validate(token).ifPresentOrElse((auth) ->
            {
                log.info("The authorization token was successfully validated.");
                SecurityContextHolder.getContext().setAuthentication(auth);
                request.setAttribute("token", auth.getDetails());
            }, () -> log.warn("The request did not contain a valid authorization token."));
        } catch (ExpiredJwtException expiredJwtException)
        {
            log.warn("An incoming request had an expired token.");
            throw new ResponseStatusException(HttpStatus.UNAUTHORIZED, "The token is expired");
        }
        filterChain.doFilter(request, response);
    }
}

#

this is my only filter, but the problem still occurres when bypassing it

still shale Jan 2, 2025, 6:18 PM

#

Can you enable DEBUG or TRACE logging for Spring Security and show these logs when making the request?

#

https://stackoverflow.com/q/30855252/10871900

Stack Overflow

How do I enable logging for Spring Security?

I am setting up Spring Security to handle logging users in. I have logged in as a user, and am taken to an Access Denied error page upon successful login. I don't know what roles my user has actually

idle yew Jan 2, 2025, 6:39 PM

#

Sure, will do when home, thanks for your time however.

idle yew Jan 2, 2025, 7:04 PM

#

still shale Can you enable DEBUG or TRACE logging for Spring Security and show these logs wh...

2025-01-02T20:03:45.431+01:00 DEBUG 74926 --- [nio-8080-exec-1] o.s.s.w.a.AnonymousAuthenticationFilter  : Set SecurityContextHolder to anonymous SecurityContext
2025-01-02T20:03:45.432+01:00 DEBUG 74926 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy        : Secured POST /api/v1/user/login
2025-01-02T20:03:45.478+01:00 DEBUG 74926 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy        : Securing POST /error
2025-01-02T20:03:45.479+01:00 DEBUG 74926 --- [nio-8080-exec-1] o.s.s.w.a.AnonymousAuthenticationFilter  : Set SecurityContextHolder to anonymous SecurityContext
2025-01-02T20:03:45.481+01:00 DEBUG 74926 --- [nio-8080-exec-1] o.s.s.w.a.Http403ForbiddenEntryPoint     : Pre-authenticated entry point called. Rejecting access

still shale Jan 2, 2025, 7:04 PM

#

What was there before?

#

How are you adding the filter?

idle yew Jan 2, 2025, 7:09 PM

#

I'll send you the whole log in 5 minutes, currently I needed to switch to another branch and demonstrate something

idle yew Jan 2, 2025, 7:25 PM

#

still shale What was there before?

https://gist.github.com/Plugrol/3e2f8e0055da8565e5eaecbc7b23da6a

Gist

spring log

spring log. GitHub Gist: instantly share code, notes, and snippets.

#

Security Config:
https://gist.github.com/Plugrol/4c53c6af719e4d011034769632566996

Gist

SecurityConfig.java

GitHub Gist: instantly share code, notes, and snippets.

#

Okay, I've been looking at the logs and they tell me, that the request is forwared to the /error endpoint.
However, this endpoint is secured by .authentificated().
Therefore it fails with a 403. By enabling debug you lead me to the right choice. Thanks for your time!

outer oliveBOT Jan 2, 2025, 7:31 PM

#

idle yew Okay, I've been looking at the logs and they tell me, that the request is forwar...

If you are finished with your post, please close it.
If you are not, please ignore this message.
Note that you will not be able to send further messages here after this post have been closed but you will be able to create new posts.

#Spring Boot Security Hell