Reputation: 300
Spring Boot: disable security for status exception code
I have a Spring Boot application, with security. And I have removed the authentication for this "/login" url.
My Security Configuration
@Configuration
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
private final JwtFilter jwtFilter;
@Autowired
public SecurityConfiguration(JwtFilter jwtFilter) {
this.jwtFilter = jwtFilter;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
.anonymous().and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
.authorizeRequests()
.anyRequest().authenticated().and()
.apply(new JwtConfigurerAdapter(jwtFilter)).and()
.exceptionHandling().authenticationEntryPoint(new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED));
}
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/v2/api-docs");
web.ignoring().antMatchers("/login");
}
}
My NotFound exception
@ResponseStatus(value = HttpStatus.NOT_FOUND)
public class NotFound extends RuntimeException {
public NotFound(String message) {
super(message);
}
}
My rest controller with login url and exception return value
@RestController
public class LoginController implements LoginService {
@Override
@GetMapping(value = "/login", produces = MediaType.APPLICATION_JSON_VALUE)
public UserInfo loginUsingJson(String username, String password) {
return findUser(username, password)).orElseThrow(() -> new NotFound("There does not exist any user by those credentials"));
}
}
Okay, here is my problem. When I call GET on "/login" and the UserInfo exists, it will return the user as JSON. This works because of web.ignoring().antMatchers("/login");, but if the user does not exist, then the exception NotFound with the http error code 404, will not show. It is now returning error code 401 Not Authorized.
I'm guessing it has something todo with HttpSecurity, where I have to add some exception or something so the exception code can be returned. But where do I allow exception handling to be ignored in the authorization of HttpSecurity?
Upvotes: 3
Views: 1920
Answers (1)
Reputation: 300
I found the answer, and would like to help others in the same situation.
My problem was that, when returning an rest exception with the errorcode 404 NotFound, Spring Boot would automatically redirect to url "/error". But this url map needs to be opened for business. So I had to ignore the authorization for this url also.
Here the solution is to add this:
web.ignoring().antMatchers("/error");
And here is the changed class:
@Configuration
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
private final JwtFilter jwtFilter;
@Autowired
public SecurityConfiguration(JwtFilter jwtFilter) {
this.jwtFilter = jwtFilter;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
.anonymous().and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
.authorizeRequests()
.anyRequest().authenticated().and()
.apply(new JwtConfigurerAdapter(jwtFilter)).and()
.exceptionHandling().authenticationEntryPoint(new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED));
}
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/v2/api-docs");
web.ignoring().antMatchers("/login");
web.ignoring().antMatchers("/error");
}
}
Upvotes: 10
Related Questions
- How to catch AccessDeniedException in Spring Boot REST API
- Spring Rest Forbidden Access when hit Exception
- Handle Security exceptions in Spring Boot Resource Server
- Spring boot security, enable default error handling
- Spring returning status 401 on all exceptions
- Disable error message: AccessDeniedException: Access is denied
- How to turn off Spring Security in Spring Boot Application
- How to handle 404 with Spring Security?
- Throwing Exception on Authentication Failure
- Spring Boot how to ignore HttpStatus Exceptions