0

I am facing this problem...

I have the spring security filter

on my web.xml

<filter>
        <filter-name>springSessionRepositoryFilter</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>

<filter-mapping>
        <filter-name>springSessionRepositoryFilter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

I am using spring security and I have this at my springSecurity-applicationContext.xml

<http
            authentication-manager-ref="myAuthManager"
            access-decision-manager-ref="accessDecisionManager"
            entry-point-ref="authenticationEntryPoint"
            create-session="ifRequired"
            access-denied-page="/unauthorized">
        <custom-filter ref="myPreAuthenticatedFilter" position="PRE_AUTH_FILTER"/>
        <logout logout-success-url="/page/home"/>
        <anonymous key="anonymous"/>
        <intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
        <intercept-url pattern="/method/do" access="IS_AUTHENTICATED_ANONYMOUSLY()"/>
    </http>

So, at myPreAuthenticationFilter I have a filter that extends of AbstractPreAuthenticatedProcessingFilter

I am trying to execute /method/do with a DELETE or a POST without success.

I am wondering what would be the best way to do it?

For some reason when I put a break point on myPreAuthenticationFilter at doFilter and make the request with DELETE nothing happens, only when I do the GET.

I want that endpoint to have no security.

I made this and worked 

<http pattern="/method/do" security="none"/>

Not sure why this works and others dont or where I should look for.

Any idea?

The errors I get are Forbidden

Cœur
  • 37,241
  • 25
  • 195
  • 267
jpganz18
  • 5,508
  • 17
  • 66
  • 115

1 Answers1

1

If using spring-security 4 or above, csrf filter is enabled by default and it actually blocks any POST, PUT or DELETE requests which do not include de csrf token.

If you are not sending the csrf token in any of this kind of requests, you should make a test just disabling it configuring <csrf disabled="true"/> in your secured <http> section in your security xml, this way:

<http
            authentication-manager-ref="myAuthManager"
            access-decision-manager-ref="accessDecisionManager"
            entry-point-ref="authenticationEntryPoint"
            create-session="ifRequired"
            access-denied-page="/unauthorized">
        <custom-filter ref="myPreAuthenticatedFilter" position="PRE_AUTH_FILTER"/>
        <logout logout-success-url="/page/home"/>
        <anonymous key="anonymous"/>

        <intercept-url pattern="/method/do" access="IS_AUTHENTICATED_ANONYMOUSLY()"/>
        <intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
        <csrf disabled="true"/>
    </http>

Edit I have just realized that the order of the intercept-url should be just the opposite, starting from the most specific and ending with the most generic (I have already modified in the sample configuration I suggested)

In your case, it does not affect the behaviour given that both mappings have same access policy, but it should be this way.

jlumietu
  • 6,234
  • 3
  • 22
  • 31
  • But by doing this I would disable CSRF in the whole project, wouldnt i? – jpganz18 Feb 08 '18 at 16:53
  • Yes of course. But given that `get` is the only request type that works, it seems that the problem is that you are not sending the csrf token or at least, if you are actually sending it, it is not correct. And if with just this change it starts working, then you could decide wether you want to continue with it disabled or try to fix it and send it the right way. And have a look at my last edit of the answer – jlumietu Feb 08 '18 at 17:14