Reputation: 353
How to configure Spring Security to avoid 'anonymousUser'
I have a Spring Boot application with Spring Security configured as follows:
@EnableWebSecurity
public class AppSecurityConfiguration {
@Configuration
@Order(Constants.DEVSTACK_SECURITY_ORDER - 1)
static class WebHttpSecurityConfig extends WebSecurityConfigurerAdapter {
/**
* Configures Application WebSecurity which involves the full Security pipeline (?)
*
* @param web WebSecurity
*/
@Override
public void configure(WebSecurity web) {
web.ignoring()
// Allow requests to HealthCheck Endpoint without Bearer Token
.antMatchers("/api/healthCheck", "/v3/api-docs/**", "/configuration/**", "/swagger-ui.html",
"/swagger-ui/**", "/webjars/**", "/api/v1/browser/**", "/swagger-resources/**")
// Allow OPTIONS request without Bearer Token (for pre-flight requests)
.antMatchers(HttpMethod.OPTIONS, "/**");
}
/**
* Configures HttpSecurity
*
* @param http HttpSecurity
* @throws Exception if an error occurs
*/
@Override
protected void configure(HttpSecurity http) throws Exception {
http
//Authorize INSECURE request to this endpoint (so Swagger can pull the data)
.antMatcher("/v2/api-docs")
.authorizeRequests()
.anyRequest()
.permitAll();
}
}
}
Here in this Configuration class I'm ignoring certain endpoints from passing through Spring Security, most of them are for Swagger documentation so you can ignore it.
My problem is inside the configure(HttpSecurity) method. I don't know why but the way I wrote it it just works. When I try to understand what I just configured I read it like this:
- For every request to "/v2/api-docs", authorize the requests
- For any other requests, permit them all.
Now I want to add a Custom Filter to the Spring Security Filter Chain. This is the Filter class:
public class MyFilter extends GenericFilterBean {
@Override
public void doFilter(ServletRequest servletRequest,
ServletResponse servletResponse,
FilterChain filterChain) throws IOException, ServletException {
log.debug("MyFilter");
filterChain.doFilter(servletRequest, servletResponse);
}
}
Whenever I try to add the filter to my HttpSecurity, I end up with Spring Security setting my Principal to 'anonymousUser'.
@Override
protected void configure(HttpSecurity http) throws Exception {
http.addFilterBefore(new MyFilter(), WebAsyncManagerIntegrationFilter.class);
}
I've tried many different things like:
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.addFilterBefore(new MyFilter(), WebAsyncManagerIntegrationFilter.class)
.authorizeRequests()
.anyRequest().authenticated()
.and()
.httpBasic()
.disable()
.formLogin()
.disable();
}
But it still returns 'anonymousUser' when I try to get the user's Principal.
I don't know why having it configured like this works?!?!
@Override
protected void configure(HttpSecurity http) throws Exception {
http
//Authorize INSECURE request to this endpoint (so Swagger can pull the data)
.antMatcher("/v2/api-docs")
.authorizeRequests()
.anyRequest()
.permitAll();
}
Can someone enlighten me and explain me like i'm five years old? Sometimes I just think I'm too stupid to understand Spring
Thanks
Upvotes: 3
Views: 3607
Answers (1)
Reputation: 1754
It should be:
http
.authorizeRequests()
.antMatchers("/v2/api-docs")
.permitAll()
.and()
.authorizeRequests().antMatchers("/**").authenticated()
Upvotes: 1
Related Questions
- Spring Security anonymous 401 instead of 403
- How to permitAll anonymous access in Spring Boot 3 or above?
- How to make Spring Security allow anonymous POST requests?
- spring security always returning anonymousUser
- Spring Boot Security - Anonymous User access on default mapping /
- Spring - Access denied for an Anonymous Authentication
- Spring Boot Security Anonymous authorization
- Spring security - allowing anonymous access
- Java based configuration to enable spring security anonymous access
- Spring security | issue in granting access to anonymous users