Configure antMatchers with oauth2ResourceServer

Question

My goal is to configure Spring Security in the following manner:

Any routes starting with private should be authenticated via Spring Boot oauth2ResourceServer
All other routes should be freely accessible

I have tried the code below, but this gives me the issue that it also tries to validate other routes than private.

@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.cors().and()
                .authorizeRequests()
                .antMatchers("/private/**").authenticated()
                .antMatchers("/**").permitAll()
                .and()
                .oauth2ResourceServer().jwt();

      }

}

My dependencies are:

org.springframework.boot:spring-boot-starter-oauth2-resource-server:2.6.2
org.springframework.boot:spring-boot-starter-security:2.6.2
org.springframework.boot:spring-boot-starter-web:2.6.2

Any ideas?

can you try `antMatchers("/private/**").authenticated().antMatchers("/**").permitAll() instead.` — JCompetence, Jan 26 '22 at 09:00
Thanks for the suggestion but already tried that still get: Failed to authenticate since the JWT was invalid. In a route which was not private — Willem van der Veen, Jan 26 '22 at 09:11
Then in this case it is not path specific, but rather something is wrong with your authentication. I suggest you look at the following https://stackoverflow.com/questions/30855252/how-do-i-enable-logging-for-spring-security to enable debug and see what is happening. — JCompetence, Jan 26 '22 at 09:24

score 1 · Answer 1 · answered Jan 26 '22 at 11:07

Turned out to be blocked by csrf protection which is on by default in spring security.

The following for me was working:

@Override
public void configure(HttpSecurity http) throws Exception {
    http
            .cors().and()
            .csrf().disable()
            .authorizeRequests()
            .mvcMatchers("/private/**").authenticated()
            .mvcMatchers("/**").permitAll()
            .and()
            .oauth2ResourceServer().jwt();
}

Note that for this to work you need to have the following specified in your application.properties.

spring.security.oauth2.resourceserver.jwt.jwk-set-uri

For example in the case of google oauth2 this is:

spring.security.oauth2.resourceserver.jwt.jwk-set-uri=https://www.googleapis.com/oauth2/v3/certs

This points to the JSON web key (JWK) which is used to verify your token. Your token should be send as an Authorization header in the following form to your spring server:

bearer {{your token here}}

Configure antMatchers with oauth2ResourceServer

1 Answers1