Reputation: 323
Why am I getting a 401 when using Spring Security 6, permitAll and after disabiling CSRF?
There are some similar questions so I have done my best to signify differences but I have reviewed them and they don't seem to match my question.
I have a few simple use case...
Given I am a user
And I am not authenticated
When I use a GET request
Then I get a 200 response
Given I am a user
And I am not authenticated
When I User a POST request
Then I get a 401 response
I try to get this to work using spring security like this...
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http.authorizeHttpRequests((authorize) -> authorize
.requestMatchers(HttpMethod.GET).permitAll()
.anyRequest().authenticated()
).csrf().disable();
return http.build();
}
But when I run and try to hit http://localhost:8080 with a GET request I still get a 401. If I remove all of the dependencies from the POM then it goes back to giving me a 200.
What am I missing what do I need to allow requests through without a token?
I also tried this...
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http.authorizeHttpRequests((authorize) -> authorize
.anyRequest().permitAll()
).oauth2ResourceServer( OAuth2ResourceServerConfigurer::jwt );
return http.build();
}
But this also provides a 401
Upvotes: 0
Views: 2565
Answers (2)
Reputation: 6166
The first security configuration you provided intends to match on "every request that is a GET". The method signature is requestMatchers(HttpMethod method, String... patterns). Your usage omits the patterns, and so matches "no requests that are a GET".
Note: I'm actually surprised that the method allowed you to pass no argument(s) for the patterns parameter. Perhaps that's a worthwhile enhancement suggestion.
In your example, you can do this:
@Configuration
@EnableWebSecurity
public class SecurityConfiguration {
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
.authorizeHttpRequests((authorize) -> authorize
.requestMatchers(HttpMethod.GET, "/**").permitAll()
.anyRequest().authenticated()
)
.oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt);
return http.build();
}
}
Note: You do need at least one authentication mechanism specified, which your config is missing.
Upvotes: 1
Reputation: 323
This seems to work...
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.authorizeHttpRequests(authorize -> authorize
.requestMatchers("/").permitAll()
.anyRequest().authenticated()
)
.oauth2ResourceServer(oauth2 -> oauth2
.jwt(Customizer.withDefaults())
);
return http.build();
}
Upvotes: 0
Related Questions
- How can I get random displayed images and background colours to match
- Random CSS via JS
- Random Background Image with Javascript
- Random colours on elements with JavaScript
- Random background generator with Javascript and CSS
- image randomizer in javascript
- Script to generate CSS properties with random colors
- True random color for div on demand
- Randoming image with javascript and apply a background color to the page according the randomed image
- Random image-background in div