Issue
In my WebSecurityConfigurerAdapter I am using the following methods:
private final AuthenticationProvider authenticationProvider;
private final JWTFilter jwtFilter;
@Override
protected void configure(AuthenticationManagerBuilder auth) {
auth.authenticationProvider(authenticationProvider);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.cors().disable()
.authorizeRequests()
.antMatchers("/graphql").permitAll()
.and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
.addFilterBefore(jwtFilter, RequestHeaderAuthenticationFilter.class); // Filter
}
However, in my GraphQLMutationResolver I cannot access the following method (error-code: 403 - no logs):
@PreAuthorize("isAnonymous()")
public User registerUser(String email, String passwordHash, String associationLocation) throws ChangeSetPersister.NotFoundException {
return userService.registerUser(email, passwordHash, associationService.findAssociationByPlaceName(associationLocation));
}
Any ideas concerning the security configuration? - is the @PreAuthorize("isAnonymous()")-Part correct?
Solution
Thanks to @Marcus-Hert-da-Coregio I have found a way to debug the app and figured out that the issue was caused by the order in which I wrote my HTTPSecurity-Configuration-Statements - similar to the following post: Spring security always returns HTTP 403
This works for me (so csrf and cors need to be disabled at the end):
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/graphql").permitAll()
.and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
.addFilterBefore(jwtFilter, RequestHeaderAuthenticationFilter.class) // Filter
.cors().disable()
.csrf().disable();
}
Answered By - Martin Dallinger
Answer Checked By - Mildred Charles (JavaFixing Admin)
