Spring Boot Security wont ignore certain paths that dont need to be secured

Question

I've seen people post about this issue before. The problem is that I want everything in my /api/v1/auth/ controller to not go through the JWT filter chain.

This is what my my security config looks like

@Configuration
@EnableWebSecurity
class SecurityConfig() : WebSecurityConfigurerAdapter() {

    @Autowired
    lateinit var tokenService: TokenService

    override fun configure(web: WebSecurity) {
        web.ignoring().antMatchers(
                "/v2/api-docs",
                "/configuration/ui",
                "/swagger-resources/**",
                "/configuration/security",
                "/swagger-ui.html",
                "/webjars/**",
                "/api/v1/auth/**",
                "/api/v1/auth/request",
                "/api/v1/auth/verify",
                "/api/v1/auth/verify_hack",
                "/api/v1/auth/refresh_token",
                "/messages",
                "/index.html"
        )
    }

    override fun configure(http: HttpSecurity) {
        http.cors().and().csrf()
                .disable()
                .sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and()
                .authorizeRequests()
                .antMatchers("/api/v1/auth/**").permitAll()
                .anyRequest().authenticated()
                .and()
                .addFilterBefore(JwtFilter(tokenService), UsernamePasswordAuthenticationFilter::class.java)


    }
}

It sort of works before where if I hit an endpoint under /api/v1/auth and DONT add a Authorization header it seemed to bypass the jwt filter class, if I DO add an authorization header to any request it ALWAYS goes into the JWT filter class, I need it to completely ignore it which is what both the configure methods should be doing.

You might ask why not just not send the Auth header, well I specifically need it for the api/v1/auth/refresh_token endpoint

This is Spring Boot 2.3.0 so latest and greatest.

TLDR how the heck do I get security config to actually ignore paths

JWT filter

class JwtFilter(private val tokenService: TokenService) : GenericFilterBean() {

    override fun doFilter(request: ServletRequest, response: ServletResponse, chain: FilterChain) {

        val token = TokenUtil.extractToken(request as HttpServletRequest)

        if (token != null && token.isNotEmpty()) {
            try {
                tokenService.getClaims(token)
            } catch (e: SignatureException) {
                throw ResponseStatusException(HttpStatus.UNAUTHORIZED, "Invalid JWT Signature")
            } catch (e: MalformedJwtException) {
                throw ResponseStatusException(HttpStatus.UNAUTHORIZED, "Invalid JWT token")
            } catch (e: ExpiredJwtException) {
                throw ResponseStatusException(HttpStatus.UNAUTHORIZED, "Expired JWT token")
            } catch (e: UnsupportedJwtException) {
                throw ResponseStatusException(HttpStatus.UNAUTHORIZED, "Unsupported JWT exception")
            } catch (e: IllegalArgumentException) {
                throw ResponseStatusException(HttpStatus.UNAUTHORIZED, "Jwt claims string is empty")
            }
        } else {
            throw ResponseStatusException(HttpStatus.UNAUTHORIZED, "Missing auth token")
        }
        chain.doFilter(request, response)
    }

}

Kavithakaran Kanapathippillai · Accepted Answer

You can add this method to your JwtFilter

class JwtFilter(private val tokenService: TokenService) : GenericFilterBean() {

    override fun doFilter(request: ServletRequest, response: ServletResponse, chain: FilterChain) {
        if (request.getRequestURI().startsWith("/api/v1/auth/")) {
           filterChain.doFilter(request, response);
           return;
        }

        val token = TokenUtil.extractToken(request as HttpServletRequest)
        ....

Spring Boot Security wont ignore certain paths that dont need to be secured

Answers (2)

Related Questions