Permit all does not authorize anonymous access

Question

Im trying to made the get endpoint called "/propostas/buscar/propostas-publicas" accept anonymous access, but the permitAll() does not allows that.

this is my PUBLIC_MATCHERS_GET with contains the endpoint I want to open for anonymous access:

    private static final String[] PUBLIC_MATCHERS_GET = {
        "/",
        "/editais/**",
        "/propostas/buscar/propostas-publicas",
        "/swagger-ui.html/**",
        "/v2/api-docs/**",
        "/webjars/**",
        "/swagger-resources/**"
    };

The overridden configure method (in my custom configuration class extending WebSecurityConfigurerAdapter) has the following configure method:

    @Override
    protected void configure(HttpSecurity http) throws Exception {       
        http
            .cors().and().csrf().disable()
            .exceptionHandling().authenticationEntryPoint(new Http403ForbiddenEntryPoint())

            .and()
            .authorizeRequests()
                .antMatchers(HttpMethod.GET, ADMIN_MATCHERS_GET).hasAnyAuthority("ROLE_A", "ROLE_R")
                .antMatchers(HttpMethod.PUT, ADMIN_MATCHERS_PUT).hasAnyAuthority("ROLE_A", "ROLE_R")
                .antMatchers(HttpMethod.DELETE, ADMIN_MATCHERS_DELETE).hasAnyAuthority("ROLE_A", "ROLE_R")
                .antMatchers(HttpMethod.POST, ADMIN_MATCHERS_POST).hasAnyAuthority("ROLE_A", "ROLE_R")
                .antMatchers(HttpMethod.GET, PROPONENTE_MATCHERS_GET).hasAnyAuthority("ROLE_P", "ROLE_A", "ROLE_R")
                .antMatchers(HttpMethod.POST, PROPONENTE_MATCHERS_POST).hasAnyAuthority("ROLE_P", "ROLE_A", "ROLE_R")
                .antMatchers(HttpMethod.PUT, PROPONENTE_MATCHERS_PUT).hasAnyAuthority("ROLE_P", "ROLE_A", "ROLE_R")
                .antMatchers(HttpMethod.DELETE, PROPONENTE_MATCHERS_DELETE).hasAnyAuthority("ROLE_P", "ROLE_A", "ROLE_R")           
                .antMatchers(HttpMethod.GET, DISCENTE_MATCHERS_GET).hasAnyAuthority("ROLE_D", "ROLE_P", "ROLE_A", "ROLE_R")
                .antMatchers(HttpMethod.GET, USUARIO_MATCHERS_GET).hasAnyAuthority("ROLE_U", "ROLE_D", "ROLE_P", "ROLE_A", "ROLE_R")
                .antMatchers(HttpMethod.PUT, USUARIO_MATCHERS_PUT).hasAnyAuthority("ROLE_U", "ROLE_D", "ROLE_P", "ROLE_A", "ROLE_R")
                .antMatchers(HttpMethod.POST, USUARIO_MATCHERS_POST).hasAnyAuthority("ROLE_U", "ROLE_D", "ROLE_P", "ROLE_A", "ROLE_R")

                .antMatchers(HttpMethod.GET, PUBLIC_MATCHERS_GET).permitAll()
                .antMatchers(HttpMethod.POST, PUBLIC_MATCHERS_POST).permitAll()
                .antMatchers(PUBLIC_MATCHERS).permitAll()
                .antMatchers("/oauth2/**", "/oauth2/*", "/oauth/*").permitAll()

                .and()
                .authorizeRequests()
                    .anyRequest().authenticated()
//              .anyRequest().permitAll()

            .and()
            .oauth2Login()  
                .authorizationEndpoint()
                .baseUri("/oauth2/authorize")
                .authorizationRequestRepository(cookieAuthorizationRequestRepository())

            .and()
            .redirectionEndpoint()
                .baseUri("/login/oauth2/code/*")
            
            .and()
            .userInfoEndpoint()
                .userService(customOAuth2UserService)
            
            .and()
                .successHandler(oAuth2AuthenticationSuccessHandler)
                .failureHandler(oAuth2AuthenticationFailureHandler);
            
            http.addFilter(new JWTAuthenticationFilter(authenticationManager(), jwtUtil));
            http.addFilter(new JWTAuthorizationFilter(authenticationManager(), jwtUtil, userDetailsService));
            http.sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS)

            .and()
            .logout()
                .logoutSuccessUrl("/")
                .clearAuthentication(true)
                .permitAll();  
            
                // Line to use H2 web console
            http.headers().frameOptions().sameOrigin();
    }

score 1 · Accepted Answer · edited Jan 09 '22 at 10:25

1

In Spring Security order matters. First match is the one that gets used. Move your match up. Here is an example that I have used in my project:

http
    .httpBasic().disable()
    .csrf().disable()
    .sessionManagement()
        .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
        .and()
    .authorizeRequests()
        .mvcMatchers(AUTHENTICATION_ENDPOINTS).permitAll()
        .mvcMatchers(ADMIN_ENDPOINTS).hasRole(ADMIN)
        .anyRequest().authenticated();

edited Jan 09 '22 at 10:25

dur

15,689
25
79
125

answered Jan 09 '22 at 07:05

J Asgarov

2,526
1
8
18

I tried that, but the error was similar but not the same. A previous entry was swallowing the authorization due to the general structure of the request, there was a /proposals/search/** swallowing the request that went to /proposals/search/public-proposals. – FUNKYBAT Jan 10 '22 at 13:59

Permit all does not authorize anonymous access

1 Answers1