Issue
Created sandbox project to play with Spring-Boot 3 and Spring-Security. In previos versions of Spring-Security we had to extend security config from WebConfigurerAdapter class, but as I see beginning with Spring-Security 6 we need to create FilterChain object. I'm trying to create basic configuration, but getting access denied message on doFilter() operation. Here is my code:
POM
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>3.1.5</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<groupId>com.security</groupId>
<artifactId>security</artifactId>
<version>0.0.1-SNAPSHOT</version>
<name>security</name>
<description>test for security</description>
<properties>
<java.version>17</java.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>com.fasterxml.jackson.dataformat</groupId>
<artifactId>jackson-dataformat-xml</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-mongodb</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-test</artifactId>
<scope>test</scope>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
<configuration>
<image>
<builder>paketobuildpacks/builder-jammy-base:latest</builder>
</image>
<excludes>
<exclude>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
</exclude>
</excludes>
</configuration>
</plugin>
</plugins>
</build>
</project>
Security config(very basic)
@Configuration
@EnableWebSecurity
@RequiredArgsConstructor
public class SecurityConfig {
@Bean
public BCryptPasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Bean
public SecurityFilterChain publicFilterChain(HttpSecurity httpSecurity) throws Exception {
httpSecurity
.csrf(Customizer.withDefaults())
.authorizeHttpRequests(
authorize -> authorize
.anyRequest()
.authenticated()
)
.httpBasic(Customizer.withDefaults())
.formLogin(Customizer.withDefaults());
return httpSecurity.build();
}
}
DTO
@Data
@Builder
public class RegistrationRequestDTO {
@NonNull
private String phone;
}
Controller
@RestController
@RequestMapping(value = "/api/v1")
public class AuthController {
@PostMapping("/auth/sign_up")
public ResponseEntity<String> registerUser(@RequestBody RegistrationRequestDTO registrationRequestDTO) {
return new ResponseEntity<>("test", HttpStatus.OK);
}
}
I added to properties class:
server.port=8087
logging.level.org.springframework.web= TRACE
logging.level.org.springframework.security= TRACE
So, when I'm calling endpoint from postman, I'm getting 401-error:
And in logs I see:
org.springframework.security.access.AccessDeniedException: Access Denied
at org.springframework.security.web.access.intercept.AuthorizationFilter.doFilter(AuthorizationFilter.java:98) ~[spring-security-web-6.1.5.jar:6.1.5]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.1.5.jar:6.1.5]
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:126) ~[spring-security-web-6.1.5.jar:6.1.5]
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:120) ~[spring-security-web-6.1.5.jar:6.1.5]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.1.5.jar:6.1.5]
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:100) ~[spring-security-web-6.1.5.jar:6.1.5]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.1.5.jar:6.1.5]
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:179) ~[spring-security-web-6.1.5.jar:6.1.5]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.1.5.jar:6.1.5]
at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63) ~[spring-security-web-6.1.5.jar:6.1.5]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.1.5.jar:6.1.5]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101) ~[spring-web-6.0.13.jar:6.0.13]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.1.5.jar:6.1.5]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101) ~[spring-web-6.0.13.jar:6.0.13]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.1.5.jar:6.1.5]
at org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter.doFilter(DefaultLoginPageGeneratingFilter.java:188) ~[spring-security-web-6.1.5.jar:6.1.5]
at org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter.doFilter(DefaultLoginPageGeneratingFilter.java:174) ~[spring-security-web-6.1.5.jar:6.1.5]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.1.5.jar:6.1.5]
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:227) ~[spring-security-web-6.1.5.jar:6.1.5]
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:221) ~[spring-security-web-6.1.5.jar:6.1.5]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.1.5.jar:6.1.5]
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:107) ~[spring-security-web-6.1.5.jar:6.1.5]
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:93) ~[spring-security-web-6.1.5.jar:6.1.5]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.1.5.jar:6.1.5]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101) ~[spring-web-6.0.13.jar:6.0.13]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.1.5.jar:6.1.5]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101) ~[spring-web-6.0.13.jar:6.0.13]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.1.5.jar:6.1.5]
at org.springframework.security.web.context.SecurityContextHolderFilter.doFilter(SecurityContextHolderFilter.java:82) ~[spring-security-web-6.1.5.jar:6.1.5]
at org.springframework.security.web.context.SecurityContextHolderFilter.doFilter(SecurityContextHolderFilter.java:69) ~[spring-security-web-6.1.5.jar:6.1.5]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.1.5.jar:6.1.5]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101) ~[spring-web-6.0.13.jar:6.0.13]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.1.5.jar:6.1.5]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101) ~[spring-web-6.0.13.jar:6.0.13]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.1.5.jar:6.1.5]
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:233) ~[spring-security-web-6.1.5.jar:6.1.5]
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:191) ~[spring-security-web-6.1.5.jar:6.1.5]
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:352) ~[spring-web-6.0.13.jar:6.0.13]
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:268) ~[spring-web-6.0.13.jar:6.0.13]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174) ~[tomcat-embed-core-10.1.15.jar:10.1.15]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) ~[tomcat-embed-core-10.1.15.jar:10.1.15]
at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100) ~[spring-web-6.0.13.jar:6.0.13]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.0.13.jar:6.0.13]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174) ~[tomcat-embed-core-10.1.15.jar:10.1.15]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) ~[tomcat-embed-core-10.1.15.jar:10.1.15]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101) ~[spring-web-6.0.13.jar:6.0.13]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174) ~[tomcat-embed-core-10.1.15.jar:10.1.15]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) ~[tomcat-embed-core-10.1.15.jar:10.1.15]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101) ~[spring-web-6.0.13.jar:6.0.13]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174) ~[tomcat-embed-core-10.1.15.jar:10.1.15]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) ~[tomcat-embed-core-10.1.15.jar:10.1.15]
at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:642) ~[tomcat-embed-core-10.1.15.jar:10.1.15]
at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:410) ~[tomcat-embed-core-10.1.15.jar:10.1.15]
at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:340) ~[tomcat-embed-core-10.1.15.jar:10.1.15]
at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:277) ~[tomcat-embed-core-10.1.15.jar:10.1.15]
at org.apache.catalina.core.StandardHostValve.custom(StandardHostValve.java:362) ~[tomcat-embed-core-10.1.15.jar:10.1.15]
at org.apache.catalina.core.StandardHostValve.status(StandardHostValve.java:222) ~[tomcat-embed-core-10.1.15.jar:10.1.15]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:151) ~[tomcat-embed-core-10.1.15.jar:10.1.15]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93) ~[tomcat-embed-core-10.1.15.jar:10.1.15]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) ~[tomcat-embed-core-10.1.15.jar:10.1.15]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:340) ~[tomcat-embed-core-10.1.15.jar:10.1.15]
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:391) ~[tomcat-embed-core-10.1.15.jar:10.1.15]
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63) ~[tomcat-embed-core-10.1.15.jar:10.1.15]
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:896) ~[tomcat-embed-core-10.1.15.jar:10.1.15]
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1744) ~[tomcat-embed-core-10.1.15.jar:10.1.15]
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52) ~[tomcat-embed-core-10.1.15.jar:10.1.15]
at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191) ~[tomcat-embed-core-10.1.15.jar:10.1.15]
at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) ~[tomcat-embed-core-10.1.15.jar:10.1.15]
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) ~[tomcat-embed-core-10.1.15.jar:10.1.15]
at java.base/java.lang.Thread.run(Thread.java:833) ~[na:na]
UPD
Logs after removing exclussion of Lombok from pom:
Checking authorization on SecurityContextHolderAwareRequestWrapper[ org.springframework.security.web.header.HeaderWriterFilter$HeaderWriterRequest@29f0fb02] using org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer$$Lambda$698/0x0000000801004660@29a87072
2023-11-14T16:52:55.116+02:00 DEBUG 10361 --- [nio-8087-exec-1] o.s.security.web.FilterChainProxy : Secured POST /api/v1/auth/sign_up
2023-11-14T16:52:55.118+02:00 TRACE 10361 --- [nio-8087-exec-1] o.s.web.servlet.DispatcherServlet : POST "/api/v1/auth/sign_up", parameters={}, headers={masked} in DispatcherServlet 'dispatcherServlet'
2023-11-14T16:52:55.119+02:00 TRACE 10361 --- [nio-8087-exec-1] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped to com.test.security.controller.AuthController#registerUser(RegistrationRequestDTO)
2023-11-14T16:52:55.175+02:00 DEBUG 10361 --- [nio-8087-exec-1] o.s.web.method.HandlerMethod : Could not resolve parameter [0] in public org.springframework.http.ResponseEntity<java.lang.String> com.test.security.controller.AuthController.registerUser(com.test.security.config.RegistrationRequestDTO): JSON parse error: Cannot construct instance of `com.test.security.config.RegistrationRequestDTO` (although at least one Creator exists): cannot deserialize from Object value (no delegate- or property-based Creator)
2023-11-14T16:52:55.177+02:00 TRACE 10361 --- [nio-8087-exec-1] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match request to [Is Secure]
2023-11-14T16:52:55.179+02:00 WARN 10361 --- [nio-8087-exec-1] .w.s.m.s.DefaultHandlerExceptionResolver : Resolved [org.springframework.http.converter.HttpMessageNotReadableException: JSON parse error: Cannot construct instance of `com.test.security.config.RegistrationRequestDTO` (although at least one Creator exists): cannot deserialize from Object value (no delegate- or property-based Creator)]
2023-11-14T16:52:55.179+02:00 TRACE 10361 --- [nio-8087-exec-1] o.s.web.servlet.DispatcherServlet : No view rendering, null ModelAndView returned.
2023-11-14T16:52:55.180+02:00 DEBUG 10361 --- [nio-8087-exec-1] o.s.web.servlet.DispatcherServlet : Completed 400 BAD_REQUEST, headers={masked}
2023-11-14T16:52:55.180+02:00 TRACE 10361 --- [nio-8087-exec-1] w.c.HttpSessionSecurityContextRepository : No HttpSession currently exists
2023-11-14T16:52:55.180+02:00 TRACE 10361 --- [nio-8087-exec-1] .s.s.w.c.SupplierDeferredSecurityContext : Created SecurityContextImpl [Null authentication]
2023-11-14T16:52:55.180+02:00 TRACE 10361 --- [nio-8087-exec-1] .s.s.w.c.SupplierDeferredSecurityContext : Created SecurityContextImpl [Null authentication]
2023-11-14T16:52:55.181+02:00 TRACE 10361 --- [nio-8087-exec-1] o.s.s.w.a.AnonymousAuthenticationFilter : Set SecurityContextHolder to AnonymousAuthenticationToken [Principal=anonymousUser, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=0:0:0:0:0:0:0:1, SessionId=null], Granted Authorities=[ROLE_ANONYMOUS]]
2023-11-14T16:52:55.184+02:00 TRACE 10361 --- [nio-8087-exec-1] o.s.security.web.FilterChainProxy : Trying to match request against DefaultSecurityFilterChain [RequestMatcher=any request, Filters=[org.springframework.security.web.session.DisableEncodeUrlFilter@7b5b5bfe, org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@74834afd, org.springframework.security.web.context.SecurityContextHolderFilter@c889805, org.springframework.security.web.header.HeaderWriterFilter@39c85c1a, org.springframework.security.web.authentication.logout.LogoutFilter@6f3f0ae, org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter@7b2ccba5, org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter@7df28f1, org.springframework.security.web.authentication.ui.DefaultLogoutPageGeneratingFilter@75fd65c, org.springframework.security.web.authentication.www.BasicAuthenticationFilter@5f59ea8c, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@78d9f51b, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@72b6832e, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@d499c13, org.springframework.security.web.access.ExceptionTranslationFilter@40113163, org.springframework.security.web.access.intercept.AuthorizationFilter@3913f206]] (1/1)
2023-11-14T16:52:55.184+02:00 DEBUG 10361 --- [nio-8087-exec-1] o.s.security.web.FilterChainProxy : Securing POST /error
2023-11-14T16:52:55.185+02:00 TRACE 10361 --- [nio-8087-exec-1] o.s.security.web.FilterChainProxy : Invoking DisableEncodeUrlFilter (1/14)
2023-11-14T16:52:55.185+02:00 TRACE 10361 --- [nio-8087-exec-1] o.s.security.web.FilterChainProxy : Invoking WebAsyncManagerIntegrationFilter (2/14)
2023-11-14T16:52:55.185+02:00 TRACE 10361 --- [nio-8087-exec-1] o.s.security.web.FilterChainProxy : Invoking SecurityContextHolderFilter (3/14)
2023-11-14T16:52:55.185+02:00 TRACE 10361 --- [nio-8087-exec-1] o.s.security.web.FilterChainProxy : Invoking HeaderWriterFilter (4/14)
2023-11-14T16:52:55.185+02:00 TRACE 10361 --- [nio-8087-exec-1] o.s.security.web.FilterChainProxy : Invoking LogoutFilter (5/14)
2023-11-14T16:52:55.185+02:00 TRACE 10361 --- [nio-8087-exec-1] o.s.s.w.a.logout.LogoutFilter : Did not match request to Or [Ant [pattern='/logout', GET], Ant [pattern='/logout', POST], Ant [pattern='/logout', PUT], Ant [pattern='/logout', DELETE]]
2023-11-14T16:52:55.185+02:00 TRACE 10361 --- [nio-8087-exec-1] o.s.security.web.FilterChainProxy : Invoking UsernamePasswordAuthenticationFilter (6/14)
2023-11-14T16:52:55.186+02:00 TRACE 10361 --- [nio-8087-exec-1] w.a.UsernamePasswordAuthenticationFilter : Did not match request to Ant [pattern='/login', POST]
2023-11-14T16:52:55.186+02:00 TRACE 10361 --- [nio-8087-exec-1] o.s.security.web.FilterChainProxy : Invoking DefaultLoginPageGeneratingFilter (7/14)
2023-11-14T16:52:55.186+02:00 TRACE 10361 --- [nio-8087-exec-1] o.s.security.web.FilterChainProxy : Invoking DefaultLogoutPageGeneratingFilter (8/14)
2023-11-14T16:52:55.186+02:00 TRACE 10361 --- [nio-8087-exec-1] o.s.security.web.FilterChainProxy : Invoking BasicAuthenticationFilter (9/14)
2023-11-14T16:52:55.186+02:00 TRACE 10361 --- [nio-8087-exec-1] o.s.security.web.FilterChainProxy : Invoking RequestCacheAwareFilter (10/14)
2023-11-14T16:52:55.186+02:00 TRACE 10361 --- [nio-8087-exec-1] o.s.s.w.s.HttpSessionRequestCache : matchingRequestParameterName is required for getMatchingRequest to lookup a value, but not provided
2023-11-14T16:52:55.186+02:00 TRACE 10361 --- [nio-8087-exec-1] o.s.security.web.FilterChainProxy : Invoking SecurityContextHolderAwareRequestFilter (11/14)
2023-11-14T16:52:55.186+02:00 TRACE 10361 --- [nio-8087-exec-1] o.s.security.web.FilterChainProxy : Invoking AnonymousAuthenticationFilter (12/14)
2023-11-14T16:52:55.186+02:00 TRACE 10361 --- [nio-8087-exec-1] o.s.security.web.FilterChainProxy : Invoking ExceptionTranslationFilter (13/14)
2023-11-14T16:52:55.186+02:00 TRACE 10361 --- [nio-8087-exec-1] o.s.security.web.FilterChainProxy : Invoking AuthorizationFilter (14/14)
2023-11-14T16:52:55.186+02:00 TRACE 10361 --- [nio-8087-exec-1] estMatcherDelegatingAuthorizationManager : Authorizing SecurityContextHolderAwareRequestWrapper[ FirewalledRequest[ org.apache.catalina.core.ApplicationHttpRequest@d72bbd2]]
2023-11-14T16:52:55.188+02:00 TRACE 10361 --- [nio-8087-exec-1] s.w.s.m.m.a.RequestMappingHandlerMapping : 2 matching mappings: [{ [/error]}, { [/error], produces [text/html]}]
2023-11-14T16:52:55.188+02:00 TRACE 10361 --- [nio-8087-exec-1] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped to org.springframework.boot.autoconfigure.web.servlet.error.BasicErrorController#error(HttpServletRequest)
2023-11-14T16:52:55.188+02:00 TRACE 10361 --- [nio-8087-exec-1] estMatcherDelegatingAuthorizationManager : Checking authorization on SecurityContextHolderAwareRequestWrapper[ FirewalledRequest[ org.apache.catalina.core.ApplicationHttpRequest@d72bbd2]] using org.springframework.security.authorization.AuthenticatedAuthorizationManager@173143aa
2023-11-14T16:52:55.188+02:00 TRACE 10361 --- [nio-8087-exec-1] w.c.HttpSessionSecurityContextRepository : No HttpSession currently exists
2023-11-14T16:52:55.188+02:00 TRACE 10361 --- [nio-8087-exec-1] .s.s.w.c.SupplierDeferredSecurityContext : Created SecurityContextImpl [Null authentication]
2023-11-14T16:52:55.188+02:00 TRACE 10361 --- [nio-8087-exec-1] .s.s.w.c.SupplierDeferredSecurityContext : Created SecurityContextImpl [Null authentication]
2023-11-14T16:52:55.189+02:00 TRACE 10361 --- [nio-8087-exec-1] o.s.s.w.a.AnonymousAuthenticationFilter : Set SecurityContextHolder to AnonymousAuthenticationToken [Principal=anonymousUser, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=0:0:0:0:0:0:0:1, SessionId=null], Granted Authorities=[ROLE_ANONYMOUS]]
2023-11-14T16:52:55.189+02:00 TRACE 10361 --- [nio-8087-exec-1] o.s.s.w.a.ExceptionTranslationFilter : Sending AnonymousAuthenticationToken [Principal=anonymousUser, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=0:0:0:0:0:0:0:1, SessionId=null], Granted Authorities=[ROLE_ANONYMOUS]] to authentication entry point since access is denied
So, obviously I'm doing something wrong and don't quite understand how updated Spring-Security should be configured. Could anybody tell me how to configure it properly in order to receive request in controller?
Solution
Here's how I modified your code and it works.
POM
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
<configuration>
<image>
<builder>paketobuildpacks/builder-jammy-base:latest</builder>
</image>
<excludes>
<exclude>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
</exclude>
</excludes>
</configuration>
</plugin>
</plugins>
</build>
Security config(very basic)
@Configuration
@EnableWebSecurity
public class SecurityConfig {
@Bean
@Order(2)
SecurityFilterChain publicFilterChain(HttpSecurity httpSecurity) throws Exception {
return httpSecurity
.securityMatcher("/api/**")
.authorizeHttpRequests(auth -> {
auth.anyRequest().authenticated();
})
.sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
.httpBasic(Customizer.withDefaults())
.build();
}
@Bean
@Order(1)
SecurityFilterChain registrationFilterChain(HttpSecurity httpSecurity) throws Exception {
return httpSecurity
.securityMatcher(AntPathRequestMatcher.antMatcher("/api/v1/auth/sign_up"))
.authorizeHttpRequests(auth -> {
auth.requestMatchers(AntPathRequestMatcher.antMatcher("/api/v1/auth/sign_up")).permitAll();
})
.csrf(csrf -> csrf.ignoringRequestMatchers(AntPathRequestMatcher.antMatcher("/api/v1/auth/sign_up")))
.build();
}
}
DTO
@Data
@Builder
@NoArgsConstructor
@AllArgsConstructor
public class RegistrationRequestDTO {
@NonNull
private String phone;
}
Controller
@RestController
@RequestMapping(value = "/api/v1")
public class AuthController {
@PostMapping("/auth/sign_up")
public ResponseEntity<String> registerUser(@RequestBody RegistrationRequestDTO registrationRequestDTO) {
return new ResponseEntity<>("test", HttpStatus.OK);
}
}
application.properties
server.port=8087
logging.level.org.springframework.web= TRACE
logging.level.org.springframework.security= TRACE
Answered By - DONGMO BERNARD GERAUD
0 comments:
Post a Comment
Note: Only a member of this blog may post a comment.