TechQA.

Why does the request go through the filter if it is the chain is configured to bypass all requests to that path?

93 views Asked by At

I have the following config in Spring Boot 3.1.4. As you see I set to permit all requests to auth/login.

package com.example.demo.Auth;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;

@Configuration
public class AuthConfig {

    @Autowired
    private JwtFilter jwtFilter;

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity httpSecurity) throws Exception {
        return httpSecurity
                .addFilterBefore(jwtFilter, UsernamePasswordAuthenticationFilter.class)
                .authorizeHttpRequests(authorizationManagerRequestMatcherRegistry -> {
                    authorizationManagerRequestMatcherRegistry.requestMatchers("/auth/registration").permitAll();
                    authorizationManagerRequestMatcherRegistry.requestMatchers("/auth/login").permitAll();
                    authorizationManagerRequestMatcherRegistry.anyRequest().authenticated();
                })
                .httpBasic(AbstractHttpConfigurer::disable)
                .csrf(AbstractHttpConfigurer::disable)
                .build();
    }

}

This is the http request

POST localhost:8080/auth/login
Content-Type: application/json

{
  "userName": "jane_doe",
  "password": "pw12345789"
}

Expected:

  • I expect the request to pass and to be processed by the controller.

Actual:

  • The request goes anyway through the jwtFilter and AuthorizationFilter which finally returns an 403.

My config doesnt seem to work. Why does the request go through the filter if it is the chain is configured to bypass all requests to that path?

spring-boot spring-boot-security
Original Q&A
1

There are 1 answers

0
wmkoch On

I believe the issue here is the AuthService is throwing an exception when the username provided in the HTTP request isn't found. When the ResponseStatusException is thrown, spring-boot's default error handling is triggered, which performs a server-side redirect to /error. You can see this by enabling logging for spring-security:

# src/main/resources/application.yml
logging.level:
  org.springframework.security: trace

With the above logging configuration, you'll see something like this in the logs:

o.s.security.web.FilterChainProxy        : Securing POST /error

The redirect to /error engages spring-security because it is not specified in the SecurityFilterChain as an unauthenticated route. You can add the following to your SecurityFilterChain bean:

authorizationManagerRequestMatcherRegistry.requestMatchers("/error").permitAll();

Or provide your own error handling logic as outlined by spring-boot's documentation (like providing your own @ControllerAdvice bean)

Related Questions in SPRING-BOOT

Related Questions in SPRING-BOOT-SECURITY

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions