I have the following WebSecurity configuration:
@Autowired
private ApplicationAuthenticationProvider appProvider;
@Bean
@Qualifier("apiAuthenticationFilter")
public TokenAuthenticationFilter apiAuthenticationFilter(TokenAuthenticationFailureHandler failureHandler,
TokenAuthenticationSuccessHandler successHandler) throws Exception {
TokenAuthenticationFilter filter = new TokenAuthenticationFilter();
filter.setAuthenticationManager(authenticationManagerBean());
filter.setAuthenticationFailureHandler(failureHandler);
filter.setAuthenticationSuccessHandler(successHandler);
return filter;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.antMatcher("/api/**")
.authorizeRequests()
.antMatchers("/api/oauth2/token", "/api/oauth2/application/token").permitAll()
.antMatchers("/api/internal**").hasAuthority("READ_ALL")
.anyRequest().authenticated()
.and()
.addFilterBefore(apiAuthenticationFilter(null, null), UsernamePasswordAuthenticationFilter.class)
.authenticationProvider(this.appProvider)
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.exceptionHandling()
.authenticationEntryPoint(new HttpStatusEntryPoint(HttpStatus.FORBIDDEN))
.and()
.cors().disable()
.formLogin().disable()
.csrf().disable()
.logout().disable();
}
I tried accessing http://localhost:8080/api/oauth2/token?client_id=...&other_query_params=param, but instead of accessing that page, like configured here:
.antMatchers("/oauth2/token", "/oauth2/application/token").permitAll()
It calls the filter chain and the filter added here:
.addFilterBefore(apiAuthenticationFilter(null, null), UsernamePasswordAuthenticationFilter.class)
which rejects my request cause of a missing token, but it should be allowed instead.
That is what my log says:
26-01-2021 DEBUG 17744 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/api/oauth2/token'; against '/api/**'
26-01-2021 DEBUG 17744 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : /api/oauth2/token?client_id=123&client_secret=secret&code=code&grant_type=authorization_code at position 1 of 10 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
26-01-2021 DEBUG 17744 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : /api/oauth2/token?client_id=123&client_secret=secret&code=code&grant_type=authorization_code at position 2 of 10 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
26-01-2021 DEBUG 17744 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : /api/oauth2/token?client_id=123&client_secret=secret&code=code&grant_type=authorization_code at position 3 of 10 in additional filter chain; firing Filter: 'HeaderWriterFilter'
26-01-2021 DEBUG 17744 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : /api/oauth2/token?client_id=123&client_secret=secret&code=code&grant_type=authorization_code at position 4 of 10 in additional filter chain; firing Filter: 'TokenAuthenticationFilter'
26-01-2021 DEBUG 17744 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/api/oauth2/token'; against '/api/**'
26-01-2021 DEBUG 17744 --- [nio-8080-exec-1] d.t.o.a.a.TokenAuthenticationFilter : Request is to process authentication
26-01-2021 INFO 17744 --- [nio-8080-exec-1] d.t.o.a.a.TokenAuthenticationFilter : Invoked attempAuthentication
26-01-2021 DEBUG 17744 --- [nio-8080-exec-1] d.t.o.a.a.TokenAuthenticationFilter : Authentication request failed: org.springframework.security.authentication.AuthenticationServiceException: Invalid token submitted: null
question from:
https://stackoverflow.com/questions/65904000/spring-ignores-permitall-rule 与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
