3

the setup is like this: as authentication server I got a Keycloak, as API-Gateway I use spring-cloud-gateway with Netflix Eureka Client as DiscoveryClient. Of course I need usermanagement, a "simple" register for not authenticated people and registering people as user with admin role. The WebSecurityConfig of the resource-server (Usermanagementservice) looks like this:

@EnableGlobalMethodSecurity(securedEnabled=true, prePostEnabled=true)
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception 
    {
        
        JwtAuthenticationConverter jwtAuthenticationConverter = new JwtAuthenticationConverter();
        jwtAuthenticationConverter.setJwtGrantedAuthoritiesConverter(new KeycloakRoleConverter());  
        
        http
        .authorizeRequests()
            .antMatchers("/register/**")
            .permitAll()
        .and()
        .authorizeRequests()
            .antMatchers("/usermanagementservice/**")
            .hasAnyRole("admin", "anotherrole")
            .anyRequest()
            .authenticated()
        .and()
            .oauth2ResourceServer()
            .jwt()
            .jwtAuthenticationConverter(jwtAuthenticationConverter);
    }
}

The RegisterController looks like this:

@RestController
@RequestMapping("/register")
public class RegisterController {

   @Autowired
   private Service service;

   @GetMapping("/status")
   public boolean checkStatus()
   {
        return true;
   }

   @PostMapping("/create")
   public Response createUser(@RequestBody User user)
   {
       return service.doSomething(user);
   }

}

So if everything is running, and i make the getRequest to my API-Gateway on localhost:8083/register/status I get the boolean back as response, if I send a POST-Request to the Gateway with a Json-Object I get the 401 Unauthorized, I added at the WebSecurityConfig the @Order(1) annotation, nothing changed, like here. I tried and read this, that and this one and not to forget that one. But no luck at all. :( Any help would be appreciated. Thank you very much in advance. :)

Hugo
  • 142
  • 1
  • 9
  • 2
    Will you please share more details about the `POST` request? For more detail, please also permit the `/error` endpoint in your `authorizeRequests` section. You also might consider turning on Spring Security's TRACE logging. – jzheaux Feb 23 '21 at 23:13
  • @jzheaux thank you very much, for the idea with logger stack.trace ... I'm just a junior :D the error was because csrf wasn't disabled ... Thank you very much so ` http.csrf.disable ` was the solution... – Hugo Feb 24 '21 at 09:59

1 Answers1

2
http
.csrf().disable()

was the missing piece in the configure method of the WebSecurityConfig.class Thank you very much @jzheaux for guiding.

Hugo
  • 142
  • 1
  • 9