I am currently migrating the version from Spring to the newest one, but having a lot of struggle when it comes to the new SecurityFilterChain settings.
I am having a list of endpoints which should be available for all. Mainly login, registration as well as some callbacks from other partner sides. Before the migration I've just provided the array to the filter and it worked.
The current (new) implemetation looks like this:
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http.csrf(AbstractHttpConfigurer::disable).cors(AbstractHttpConfigurer::disable)
.authorizeHttpRequests(auth -> auth
.requestMatchers(Endpoints.PUBLIC_ENDPOINTS).permitAll()
.anyRequest().authenticated()
)
.exceptionHandling()
.authenticationEntryPoint(jwtAuthenticationEntryPoint)
.and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
http.addFilterBefore(jwtRequestFilter, UsernamePasswordAuthenticationFilter.class);
return http.build();
}
This gives me a 401 Unauthorized for the /authentication/login endpoint. What I am doing wrong? Is there any good tutorial or example for the new way of creating the filter.
For completeness here my old implementation:
httpSecurity.cors().and().csrf().disable() // dont authenticate this particular request
.authorizeRequests()
.antMatchers(Endpoints.PUBLIC_ENDPOINTS)
.permitAll()
.anyRequest() // all other requests need to be authenticated
.authenticated().and().exceptionHandling() // make sure we use stateless session; session won't be used to
// store user's state.
.authenticationEntryPoint(jwtAuthenticationEntryPoint).and().sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS);
httpSecurity.addFilterBefore(jwtRequestFilter, UsernamePasswordAuthenticationFilter.class);
