Reputation: 135
Configuring Springboot security, permitted path(s) not authorised 401
I have a Springboot REST API which has the endpoints
/api/quizzesGET/api/quizzes/{id}POST/api/registerPOST/GETwhich is a welcome page managed by a Thymeleaf controller class
I have set up my security class as follows;
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
UserDetailsService userDetailsService;
/* This sets up the security on specified paths according to role of client */
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
.httpBasic()
.and().authorizeRequests()
.antMatchers("/api/quizzes/**").hasRole("USER")
// .antMatchers("/api/register/").permitAll() // have tried this, still 401
.antMatchers("/**").permitAll() // does not permit `/api/register` but does `/` and `h2-
// console
.and().headers().frameOptions().disable();
}
/* This sets up the user roles by searching the database for a match, so they can access the
endpoints configured above */
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService);
}
@Bean
public PasswordEncoder getPasswordEncoder() {
return NoOpPasswordEncoder.getInstance();
}
}
Now when I try to access /api/register in Postman the response is 401 unauthorised. I can access /. I understood that /** is a wildcard for this directory and any subdirectories, so it should match root and /api/register, and permitAll()?
Edit: Some more info
- comment out all the code in
SecurityConfig, I get access to/,/api/quizzes,/api/quizzes/{id}but not/api/register, in fact it returns 403 instead of 401 which is interesting. antMatchers("/**").permitAll(), access to all except/api/register, now response is 401 ?antMatchers("/**).authenticated(), everything returns 401 unauthorised
I wonder, all the /api/quizzes endpoints are under the QuizController, but the /api/register endpoint is under its own @RestController controller class. Have I missed an annotation? I can't see it, it's setup the same.
I know Spring isn't looking at my UserService as the sout message isn't printed. I did have this working at some point yesterday, it was fetching the User from the database table. I'm not sure what has changed.
Here's my UserService
@Service
public class UserService implements UserDetailsService {
@Autowired
static UserRepository userRepository;
@Override
public UserDetails loadUserByUsername(String email) {
Optional<User> user = userRepository.findByEmail(email);
System.out.println("loadByUsername called");
if (user.isPresent()) {
System.out.println("loadUserByUsername called: user.isPresent() = true");
return new MyUserDetails(user.get().getEmail(), user.get().getPassword());
} else {
throw new UsernameNotFoundException("User: " + email + " not found");
}
}
public static void saveUserToDB(User user) {
if (user.getPassword().length() < 5) {
throw new UsernameNotFoundException("password too short.");
}
Pattern pattern = Pattern.compile("simon\\.aust@hotmail\\.com");
Matcher matcher = pattern.matcher(user.getEmail());
if (!matcher.matches()) {
throw new UsernameNotFoundException("email not correct format");
}
userRepository.save(user);
}
}
UserRepository
public interface UserRepository extends CrudRepository<User, Long> {
Optional<User> findByEmail(String email);
}
MyUserDetails
public class MyUserDetails implements UserDetails {
private final String username;
private final String password;
public MyUserDetails(String username, String password) {
this.username = username;
this.password = password;
}
@Override
public Collection<? extends GrantedAuthority> getAuthorities() {
return Arrays.asList(new SimpleGrantedAuthority("ROLE_USER"));
}
@Override
public String getPassword() {
return password;
}
@Override
public String getUsername() {
return username;
}
@Override
public boolean isAccountNonExpired() {
return true;
}
@Override
public boolean isAccountNonLocked() {
return true;
}
@Override
public boolean isCredentialsNonExpired() {
return true;
}
@Override
public boolean isEnabled() {
return true;
}
}
Edit 2;
With in-memory authentication I can authenticate with certain endpoints, but again not /api/register
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception{
auth.inMemoryAuthentication()
.passwordEncoder(org.springframework.security.crypto.password.NoOpPasswordEncoder.getInstance())
.withUser("user1")
.password("password")
.roles("USER");
}
Upvotes: 0
Views: 1780
Answers (2)
Reputation: 135
This is a mistake which I caused myself a great deal of effort over. Due to my naivety and overlooking where I was handling my exceptions, I was in fact returning a HTTP status with a custom exception on some if/else statement. That was fooling me into believing user authentication was not working when in fact it was. Lesson of the day: Use breakpoints and debug :)
Upvotes: 0
Reputation: 371
Try this:
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.httpBasic()
.and()
.authorizeRequests()
.antMatchers("/api/register/**").permitAll()
.antMatchers("/api/quizzes/**").authenticated()
.and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.userDetailsService(userDetailsService)
.passwordEncoder(passwordEncoder);
}
Upvotes: 2
Related Questions
- SpringBoot 401 UnAuthorized even with out security
- Spring Security - Unauthorized though permitting all requests
- Cannot configure spring boot security - always 403
- 403 forbidden - Spring Security
- Spring Boot Security sends 404 although credentials are correct - cant resolve redirect path
- Spring Security Authentication issue: HTTP 401
- Spring Boot - spring security authorization issues
- Springboot authentication issue
- SpringBoot and Spring Security not authenticate
- Spring Security Authentication not give 401 error