Reputation: 31
Spring Security 6 .permitAll() not working
I'm bulding an API using Java 21, Spring boot 3 and spring security 6 authenticating in keycloak 22.
I have this code that configure my spring security:
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
CsrfTokenRequestAttributeHandler csrfRequestHandler = new CsrfTokenRequestAttributeHandler();
csrfRequestHandler.setCsrfRequestAttributeName("_csrf");
return http
.cors(Customizer.withDefaults())
.csrf(csrf -> csrf
.csrfTokenRequestHandler(csrfRequestHandler)
.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()))
.authorizeHttpRequests(requests -> requests
.requestMatchers("auth/**").permitAll()
.anyRequest().authenticated())
.oauth2ResourceServer(oauth2 -> oauth2
.jwt(jwt -> jwt
.jwtAuthenticationConverter(grantedAuthoritiesExtractor())))
.build();
}
I also have this configuration pointing to my Keycloak to validate the token.
security: oauth2: resourceserver: jwt: issuer-uri: 'http://localhost:8080/realms/core-creare'
I'm trying to bypass authentication in the path "/auth", but the .permitAll() its not working. When I do a post request in "/auth", return as 401 unauthorized.
Upvotes: 1
Views: 5073
Answers (3)
Reputation: 195
As of Feb 4, 2025 and Spring Security version 6.4.2 this works:
@Configuration
@EnableWebSecurity
public class SecurityConfig {
@Bean
SecurityFilterChain securityFilterChain(HttpSecurity httpSecurity) throws Exception {
return httpSecurity
.authorizeHttpRequests(requests -> requests
.requestMatchers("/tip", "/error").permitAll()
.anyRequest().authenticated())
.formLogin(Customizer.withDefaults())
.build();
}
}
No deprecation warnings. IMPORTANT: Notice that "/error" is added to permitAll() patterns.
Upvotes: 0
Reputation: 1
Did you check the Controller? There may be a chance you didn't add the RequestMapping to the URL in RequestMatchers:
Maybe "api/v1/auth/**" instead of "auth/**"
Depending of your RequestMapping
Upvotes: 0
Reputation: 31
I solved the problem! In my security filter chain I needed to ignore the /auth in CSRF config:
return http
.cors(Customizer.withDefaults())
.csrf(csrf -> csrf
.csrfTokenRequestHandler(csrfRequestHandler)
.ignoringRequestMatchers("/auth/**")
.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()))
.authorizeHttpRequests(requests -> requests
.requestMatchers(new AntPathRequestMatcher("/auth/**")).permitAll()
.anyRequest().authenticated())
.oauth2ResourceServer(oauth2 -> oauth2
.jwt(jwt -> jwt
.jwtAuthenticationConverter(grantedAuthoritiesExtractor())))
.build();
Upvotes: 2
Related Questions
- What is difference between CrudRepository and JpaRepository interfaces in Spring Data JPA?
- What's the difference between @Component, @Repository & @Service annotations in Spring?
- How to configure port for a Spring Boot application
- Spring Security .permitAll() not working with OAuth2ResourceServer
- automatically logout when there session timeout in angular and spring boot oauth2 client application
- Spring Security permitAll() doesn't work with Anonymous [Null authentication]
- Security configuration with Spring-boot