Reputation: 53
Spring - Access denied for an Anonymous Authentication
I don't have much expertise with Spring Security and I have a question that could be a bit silly. I've been trying to solve an issue for few days and maybe I misunderstood the way to configure my app. I'd appreciate if anyone can bring some light into this.
I implemented a REST API with Spring and I wanted to add security to it. From the Spring Security docs I read ... It’s generally considered good security practice to adopt a "deny-by-default" where you explicitly specify what is allowed and disallow everything else. ... which I agree. So I added that Authentication requirement to my configuration.
However, I'd like to make few of the calls to the API public (from my GUI), so I thought that Anonymous Authentication would work. Again, from the docs I read... no real conceptual difference between a user who is "anonymously authenticated" and an unauthenticated user so, all good.
However, when I execute those calls, I get a 403 response (AbstractSecurityInterceptor throws an AccessDeniedException on decide about the Authentication). So, I leave here several questions + my configuration lines in case you know what problems and misunderstandings I have.
Config...
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.cors().and()
.anonymous().and()
.authorizeRequests()
.antMatchers("/").permitAll()
.antMatchers(HttpMethod.POST, "/users/login").permitAll()
.anyRequest().authenticated().and()
// We filter the api/login requests
.addFilterBefore(new JwtLoginFilter("/users/login", authenticationManager()),
UsernamePasswordAuthenticationFilter.class)
.addFilterBefore(new JwtAuthenticationFilter(),
UsernamePasswordAuthenticationFilter.class);
}
Questions... 1) AnonymousAuthenticationToken is still authenticated, right?
2) Is the anonymous() line needed if I don't customize the configuration for Anonymous Authentication? The Anonymous token is there (when I debug) when an authentication is missing
3) Is there anything missing in the configuration to accept those requests?
4) The docs mention the ExceptionTranslatorFilter that should process the AccessDeniedException to the AuthenticationEntryPoint. Do I need to define an AuthenticationEntryPoint? If so, with what purpose?
I've tried to be as much precise as possible. I hope someone can reply. Thank you very much for your help!
Upvotes: 2
Views: 5787
Answers (2)
Reputation: 424
Do you have unauthenticated access to the root '/'? I ask this because looks like is what you intend to with the line:
.antMatchers("/").permitAll()
I guess in order to allow unauthenticated request (or anonymous authenticated request, note that for Spring Anonymous and unauthenticated is basically the same) you will need to add the ant match for those paths, something like:
.antMatchers("/public-page").permitAll()
Upvotes: 1
Reputation: 593
You need to put this into your configuration file:
http.authorizeRequests().antMatchers(HttpMethod.OPTIONS, "/**").permitAll();
Upvotes: 2
Related Questions
- Spring Security permitAll not allowing anonymous access
- Spring Security - Access is denied (user is not anonymous) spring-security-core-4.0.3.RELEASE
- How to configure Spring Security to avoid 'anonymousUser'
- Spring authentication process fails
- spring security always returning anonymousUser
- Spring Boot Security Anonymous authorization
- Spring security - allowing anonymous access
- Spring 4 Security access denied (user is not anonymous)
- Spring security access="IS_AUTHENTICATED_ANONYMOUSLY, IS_AUTHENTICATED_FULLY, IS_AUTHENTICATED_REMEMBERED"
- Spring security | issue in granting access to anonymous users