0

I am doing poc on spring security social login.

Problem: I am getting http status 401 when I am invoking api with context path. I have added context path in antMatchers("/newcontext/").permitAll()**

Below is my application config and code.

pom.xml

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>2.7.3</version>
        <relativePath/> <!-- lookup parent from repository -->
    </parent>
    <groupId>com.example.</groupId>
    <artifactId>spring-security</artifactId>
    <version>0.0.1-SNAPSHOT</version>
    <name>spring-security</name>
    <description>Demo project for Spring Boot</description>
    <properties>
        <java.version>11</java.version>
    </properties>
    <dependencies>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-oauth2-client</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
        </dependency>
        <dependency>
            <groupId>org.projectlombok</groupId>
            <artifactId>lombok</artifactId>
            <optional>true</optional>
        </dependency>
    </dependencies>

    <build>
        <plugins>
            <plugin>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-maven-plugin</artifactId>
                <configuration>
                    <excludes>
                        <exclude>
                            <groupId>org.projectlombok</groupId>
                            <artifactId>lombok</artifactId>
                        </exclude>
                    </excludes>
                </configuration>
            </plugin>
        </plugins>
    </build>

</project>

WebsecurityConfig.java

package com.example.springsecurity.config;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpStatus;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
import org.springframework.security.web.authentication.HttpStatusEntryPoint;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests(a -> a
                        .antMatchers("/newcontext/**").permitAll()
                        .antMatchers("/", "/error","/webjars/**").permitAll()
                        .anyRequest().authenticated()
                )
                .exceptionHandling(e -> e
                        .authenticationEntryPoint(new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED))
                )
                .oauth2Login();
    }

}

TestController.java

package com.example.springsecurity.controller;

import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;

@RestController
public class TestController {

    @GetMapping("/test")
    public String test(){
        return "success";
    }
}

postman request/response:

GET http://localhost:8080/newcontext/test

response: 401 Unauthorized

Am I adding the context path string incorrectly in antMatchers()? I have tried changing the position of /newcontext in antMatchers() as position of path to be excluded is vital in spring security. I have tried this as well

.antMatchers("/", "/error","/webjars/**", "/newcontext/**").permitAll()

application.yml

server:
  servlet:
    context-path: /newcontext
  port: 8081

spring:
  security:
    oauth2:
      client:
        registration:
          facebook:
            clientId: *********
            clientSecret: *********
            accessTokenUri: https://graph.facebook.com/oauth/access_token
            userAuthorizationUri: https://www.facebook.com/dialog/oauth
            tokenName: oauth_token
            authenticationScheme: query
            clientAuthenticationScheme: form
            resource:
              userInfoUri: https://graph.facebook.com/me
anonymous
  • 47
  • 10
  • @M.Deinum thanks for pointing out that. while pasting the postman response I actually bymistake pasted response of another tab of postman and missed it in my review question. – anonymous Aug 30 '22 at 06:54
  • 1
    As far as I know, you don't have to put your context path in your antmatcher. So adding `"/**"` should do what you want. – g00glen00b Aug 30 '22 at 07:25
  • @Prog_G newcontext is a context path defined in application.yml – anonymous Aug 30 '22 at 08:26
  • @g00glen00b by doing "/**" will permit all the path. I have to just allow path with **/newcontext** – anonymous Aug 30 '22 at 08:28
  • 1
    @anonymous If you set a context path, then all paths will start with `/newcontext` so I don't see the difference. Can you explain? – g00glen00b Aug 30 '22 at 09:17
  • 5
    Your context-path is _"/newcontext"_, so when you define path matcher as _"/newcontext/**"_ it will match something like _"localhost:8080/newcontext/newcontext/**"_. As your controller has _"/test"_ mapping, you should set `"permitAll"` for a matcher like _"/test"_ – Andrei Titov Aug 30 '22 at 09:33
  • 1
    @g00glen00b you are correct that all the api call will start with /newcontext call. what I actually wanted to do is permit only specific set of api like /newcontext/test, etc... and restrict others starting with same context name. I tried permitting /newcontext/test but it didn't worked so then tried with /newcontext/** (just for testing) but it also didn't worked, so then after doing all tries raise question on stackoverflow – anonymous Aug 30 '22 at 11:14

0 Answers0