1

I am trying to access my API through Postman. In the config, I have set /authenticate to be permitted, but I get 401 unauthorized all the time.

The relevant function:

@Override
    protected void configure(HttpSecurity httpSecurity) throws Exception {
        httpSecurity
                // dont authenticate this particular request
                .authorizeRequests().antMatchers("/authenticate").permitAll().
                // all other requests need to be authenticated
                        anyRequest().authenticated().and().
                // make sure we use stateless session; session won't be used to
                // store user's state.
                        exceptionHandling().authenticationEntryPoint(jwtAuthenticationEntryPoint).and().sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS);
        // Add a filter to validate the tokens with every request
        httpSecurity.addFilterBefore(jwtRequestFilter, UsernamePasswordAuthenticationFilter.class);
    }

My dependencies

<dependencies>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-data-jpa</artifactId>
        </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-web</artifactId>
    </dependency>

    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-devtools</artifactId>
        <scope>runtime</scope>
        <optional>true</optional>
    </dependency>
    <dependency>
        <groupId>org.postgresql</groupId>
        <artifactId>postgresql</artifactId>
        <scope>runtime</scope>
    </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-test</artifactId>
        <scope>test</scope>
    </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-security</artifactId>
        <version>2.3.1.RELEASE</version>
    </dependency>
    <dependency>
        <groupId>io.jsonwebtoken</groupId>
        <artifactId>jjwt</artifactId>
        <version>0.9.1</version>
    </dependency>
</dependencies>

Any help would be appreciated

Dani
  • 556
  • 7
  • 23
  • Usually you would want to exclude from security checks the authentication URL. For more details check: https://stackoverflow.com/questions/22767205/spring-security-exclude-url-patterns-in-security-annotation-configurartion – lainatnavi Dec 21 '20 at 20:29
  • Also make sure that the filter works correctly. E.g. try to authenticate a user by requesting another resource rather than /authenticate with a valid token. – lainatnavi Dec 21 '20 at 20:32
  • 1
    Sometimes this happens due to issues with csrf and cors, try adding `.csrf().disable().cors()` to your httpSecurity object – Pablo Andrés Rodas Giraldo Dec 21 '20 at 21:04
  • @PabloAndrésRodasGiraldo Thanks for the suggestion but I still get the same result – Dani Dec 22 '20 at 10:21

1 Answers1

0

The problem here is that even if you are configuring Spring Security to allow every user, your request is going thru the same security chain as for the other requests. I am guessing that your call to the authentication endpoint does not contain anything in the authorization header, or to say in other way, your token is empty, therefore you are getting a 401. In this case, one solution can be to say to spring security that for the URL for the authentication, the request wont travel thru the security chain. You can achieve that with the following code in your Spring Security configuration.

@Override
public void configure(WebSecurity web) throws Exception {
    web.ignoring().antMatchers("/authenticate");
}

I hope this can solve your problem.

Juan BC
  • 176
  • 2
  • 8