TechQA.

Security issue in Spring Boot 3 with Payara 6

49 views Asked by At

I using Spring Boot 3.2.0 with packaging in war and deploy it on Payara 6.

The issue is when I login from frontend, I get CORS error. When I tried to call the same method from Postman, I got HTTP Status 403 - Forbidden error.

Here's my code:

From SecurityConfig.java:

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http
                .csrf(AbstractHttpConfigurer::disable)
                .cors(Customizer.withDefaults())
                .headers(headersCustomizer())
                .sessionManagement(manager -> manager.sessionCreationPolicy(STATELESS))
                .authorizeHttpRequests((auth) -> auth.requestMatchers(HttpMethod.OPTIONS, "/**").permitAll()
                        .requestMatchers(PUBLIC_PATHS).permitAll()
                        .requestMatchers("/applications**").hasAuthority(AuthoritiesConstants.SUPER)
                        .anyRequest().authenticated());
        http.addFilterBefore(jwtFilter, UsernamePasswordAuthenticationFilter.class);
        return http.build();
    }

    @Bean
    CorsConfigurationSource corsConfigurationSource() {
        CorsConfiguration configuration = new CorsConfiguration();
        configuration.setAllowedOrigins(List.of("*"));
        configuration.setAllowedMethods(List.of("*"));
        configuration.setAllowedHeaders(List.of("*"));
        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        source.registerCorsConfiguration("/**", configuration);
        return source;
    }

From JWTFilter.java:

    @Override
    public void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
            throws IOException, ServletException {
        try {
            MDC.put(Constants.TRANSACTION_ID, ApplicationUtils.generateUniqueTransactionId());
            String bearerToken = request.getHeader(AUTHORIZATION);
            if (CorsUtils.isPreFlightRequest(request)) {
                response.setStatus(HttpServletResponse.SC_OK);
                return;
            }
            if ((StringUtils.isBlank(bearerToken) || !bearerToken.startsWith(Constants.TOKEN_PREFIX)) && request.getServletPath().contains("user-jwt/auth")) {
                filterChain.doFilter(request, response);
                return;
            }
            String token = tokenProvider.resolveToken(bearerToken);
            if (this.tokenProvider.validateToken(token, response)) {
                this.checkMultipleSessions(token);
                Authentication authentication = this.tokenProvider.getAuthentication(token);
                SecurityContextHolder.getContext().setAuthentication(authentication);
                filterChain.doFilter(request, response);
            }
        } catch (JwtTokenException ex) {
            this.handleJwtAuthenticationException(response, HttpStatus.UNAUTHORIZED, ex.getMessage(), ex.getCode());
        } catch (ForbiddenException ex) {
            this.handleJwtAuthenticationException(response, HttpStatus.BAD_REQUEST, ex.getMessage(),
                    ex.getCode());
        } catch (RuntimeException ex) {
            this.handleJwtAuthenticationException(response, HttpStatus.BAD_REQUEST, UNKNOWN_SERVER_ERROR.getMessage(),
                    UNKNOWN_SERVER_ERROR.getCode());
        } finally {
            MDC.clear();
        }
    }

Is this a common issue with payara 6? And please suggest any solution or idea.

spring-boot payara spring-boot-3 spring-boot-security
Original Q&A
0

There are 0 answers

Related Questions in SPRING-BOOT

Related Questions in PAYARA

Related Questions in SPRING-BOOT-3

Related Questions in SPRING-BOOT-SECURITY

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json

Trending Questions