I need to be authenticated to get public resources.

This construction worked for me and im getting only my public resources even when im authenticated. When im trying for example post request after being authenticated im getting 403 forbidden.

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
            .cors()
            .and()
            .authorizeRequests()
            .antMatchers("/public/**").permitAll()
            .antMatchers("/private/**").authenticated()
            .antMatchers("/private-scoped").hasAuthority("read:posts");
}

With this configuration i need to be authenticated to get access any of these resources, even public resources. When im authenticated everything works fine.

  @Override
protected void configure(HttpSecurity http) throws Exception {
    JwtWebSecurityConfigurer
            .forRS256(audience, issuer)
            .configure(http)
            .cors()
            .and()
            .authorizeRequests()
            .antMatchers("/public/**").permitAll()
            .antMatchers("/private/**").authenticated()
            .antMatchers("/private-scoped").hasAuthority("read:posts");
}

Is it any possible way to bring together these two configurations into one?

Im sending jwt tokens from my frontend.

This is my config file:

import com.auth0.spring.security.api.JwtWebSecurityConfigurer;
import java.util.Arrays;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.CorsConfigurationSource;
import org.springframework.web.cors.UrlBasedCorsConfigurationSource;

/**
 *
 * @author Kamil
 */
@Configuration
@EnableWebSecurity
public class AuthConfig extends WebSecurityConfigurerAdapter {

    @Value(value = "${auth0.apiAudience}")
    private String audience;
    @Value(value = "${auth0.issuer}")
    private String issuer;
    @Bean
    CorsConfigurationSource corsConfigurationSource() {
        CorsConfiguration configuration = new CorsConfiguration();
        configuration.applyPermitDefaultValues();
        configuration.setAllowedMethods(Arrays.asList("*"));
        configuration.setAllowedOrigins(Arrays.asList("*"));
        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        source.registerCorsConfiguration("/**", configuration);
        return source;
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        JwtWebSecurityConfigurer
                .forRS256(audience, issuer)
                .configure(http)
                .cors()
                .and()
                .authorizeRequests()
                .antMatchers("/public/**").permitAll()
                .antMatchers("/private/**").authenticated()
                .antMatchers("/private-scoped").hasAuthority("read:posts");
    }
}

1 Answers

0
AmirBll On

Try this way:

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.authorizeRequests()
            .antMatchers("/public/**").permitAll()
            .antMatchers("/private-scoped").hasAuthority("read:posts")
            .anyRequest().authenticated()
            .and()
            .cors(); 
}