Issue
Im trying to made the get endpoint called "/propostas/buscar/propostas-publicas" accept anonymous access, but the permitAll() does not allows that.
this is my PUBLIC_MATCHERS_GET with contains the endpoint I want to open for anonymous access:
private static final String[] PUBLIC_MATCHERS_GET = {
"/",
"/editais/**",
"/propostas/buscar/propostas-publicas",
"/swagger-ui.html/**",
"/v2/api-docs/**",
"/webjars/**",
"/swagger-resources/**"
};
The overridden configure method (in my custom configuration class extending WebSecurityConfigurerAdapter) has the following configure method:
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.cors().and().csrf().disable()
.exceptionHandling().authenticationEntryPoint(new Http403ForbiddenEntryPoint())
.and()
.authorizeRequests()
.antMatchers(HttpMethod.GET, ADMIN_MATCHERS_GET).hasAnyAuthority("ROLE_A", "ROLE_R")
.antMatchers(HttpMethod.PUT, ADMIN_MATCHERS_PUT).hasAnyAuthority("ROLE_A", "ROLE_R")
.antMatchers(HttpMethod.DELETE, ADMIN_MATCHERS_DELETE).hasAnyAuthority("ROLE_A", "ROLE_R")
.antMatchers(HttpMethod.POST, ADMIN_MATCHERS_POST).hasAnyAuthority("ROLE_A", "ROLE_R")
.antMatchers(HttpMethod.GET, PROPONENTE_MATCHERS_GET).hasAnyAuthority("ROLE_P", "ROLE_A", "ROLE_R")
.antMatchers(HttpMethod.POST, PROPONENTE_MATCHERS_POST).hasAnyAuthority("ROLE_P", "ROLE_A", "ROLE_R")
.antMatchers(HttpMethod.PUT, PROPONENTE_MATCHERS_PUT).hasAnyAuthority("ROLE_P", "ROLE_A", "ROLE_R")
.antMatchers(HttpMethod.DELETE, PROPONENTE_MATCHERS_DELETE).hasAnyAuthority("ROLE_P", "ROLE_A", "ROLE_R")
.antMatchers(HttpMethod.GET, DISCENTE_MATCHERS_GET).hasAnyAuthority("ROLE_D", "ROLE_P", "ROLE_A", "ROLE_R")
.antMatchers(HttpMethod.GET, USUARIO_MATCHERS_GET).hasAnyAuthority("ROLE_U", "ROLE_D", "ROLE_P", "ROLE_A", "ROLE_R")
.antMatchers(HttpMethod.PUT, USUARIO_MATCHERS_PUT).hasAnyAuthority("ROLE_U", "ROLE_D", "ROLE_P", "ROLE_A", "ROLE_R")
.antMatchers(HttpMethod.POST, USUARIO_MATCHERS_POST).hasAnyAuthority("ROLE_U", "ROLE_D", "ROLE_P", "ROLE_A", "ROLE_R")
.antMatchers(HttpMethod.GET, PUBLIC_MATCHERS_GET).permitAll()
.antMatchers(HttpMethod.POST, PUBLIC_MATCHERS_POST).permitAll()
.antMatchers(PUBLIC_MATCHERS).permitAll()
.antMatchers("/oauth2/**", "/oauth2/*", "/oauth/*").permitAll()
.and()
.authorizeRequests()
.anyRequest().authenticated()
// .anyRequest().permitAll()
.and()
.oauth2Login()
.authorizationEndpoint()
.baseUri("/oauth2/authorize")
.authorizationRequestRepository(cookieAuthorizationRequestRepository())
.and()
.redirectionEndpoint()
.baseUri("/login/oauth2/code/*")
.and()
.userInfoEndpoint()
.userService(customOAuth2UserService)
.and()
.successHandler(oAuth2AuthenticationSuccessHandler)
.failureHandler(oAuth2AuthenticationFailureHandler);
http.addFilter(new JWTAuthenticationFilter(authenticationManager(), jwtUtil));
http.addFilter(new JWTAuthorizationFilter(authenticationManager(), jwtUtil, userDetailsService));
http.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.logout()
.logoutSuccessUrl("/")
.clearAuthentication(true)
.permitAll();
// Line to use H2 web console
http.headers().frameOptions().sameOrigin();
}
Solution
In Spring Security order matters. First match is the one that gets used. Move your match up. Here is an example that I have used in my project:
http
.httpBasic().disable()
.csrf().disable()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.mvcMatchers(AUTHENTICATION_ENDPOINTS).permitAll()
.mvcMatchers(ADMIN_ENDPOINTS).hasRole(ADMIN)
.anyRequest().authenticated();
Answered By - J Asgarov
Answer Checked By - Willingham (JavaFixing Volunteer)
