0

I am using spring version 3.0.5 and spring security version 6.0.2, facing a issue to access the public urls which I configured through SecurityFilterChain, I am using spring MVC. The AppConfig class is below

package com.test.config;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.web.SecurityFilterChain;

@Configuration
@EnableWebSecurity
public class AppConfig {

    @Bean
    protected SecurityFilterChain filterChain(HttpSecurity http) throws Exception {

        http.csrf(csrf -> csrf.disable()).authorizeHttpRequests(
                auth -> auth.requestMatchers("/home").permitAll().anyRequest().authenticated());

        return http.build();
    }

}

Basic Controller is as following

package com.test.controller;

import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.GetMapping;

@Controller
public class BasicController {

    @GetMapping("/home")
    public String showHome(Model model) {

        model.addAttribute("title", "Home Page");

        return "guest/home";
    }

    @GetMapping("/login")
    public String showLogin(Model model) {

        model.addAttribute("title", "Login Page");
        return "guest/loginPage";
    }

    @GetMapping("/user/index")
    public String getUserHome(Model model) {

        model.addAttribute("title", "User Home");

        return "user/home";
    }

}

The application.properties file is

server.port=8100

spring.security.user.name=abcd
spring.security.user.password=xyz

logging.level.org.springframework.security=DEBUG

Following is my HTML page which is located in templates -> guest -> home I also have a base class which I am not mentioning.

<!doctype html>
<html lang="en" xmlns:th="http://www.thymeleaf.org"
    th:replace="guest/base::layout(~{::section})">
<head>
<meta charset="UTF-8" />
<title>Home Page</title>
</head>
<body>
    <section>
        <span>I am in home page.</span>
    </section>
</body>
</html>

Finally I am getting following error when I hit localhost:8100/home


[2m2023-04-01T06:18:27.012+05:30[0;39m [32mDEBUG[0;39m [35m16852[0;39m [2m---[0;39m [2m[nio-8100-exec-1][0;39m [36mo.s.security.web.FilterChainProxy       [0;39m [2m:[0;39m Securing GET /home
[2m2023-04-01T06:18:27.013+05:30[0;39m [32mDEBUG[0;39m [35m16852[0;39m [2m---[0;39m [2m[nio-8100-exec-1][0;39m [36mo.s.security.web.FilterChainProxy       [0;39m [2m:[0;39m Secured GET /home
[2m2023-04-01T06:18:27.015+05:30[0;39m [32mDEBUG[0;39m [35m16852[0;39m [2m---[0;39m [2m[nio-8100-exec-1][0;39m [36mo.s.security.web.FilterChainProxy       [0;39m [2m:[0;39m Securing GET /guest/home
[2m2023-04-01T06:18:27.015+05:30[0;39m [32mDEBUG[0;39m [35m16852[0;39m [2m---[0;39m [2m[nio-8100-exec-1][0;39m [36mo.s.s.w.a.AnonymousAuthenticationFilter [0;39m [2m:[0;39m Set SecurityContextHolder to anonymous SecurityContext
[2m2023-04-01T06:18:27.016+05:30[0;39m [32mDEBUG[0;39m [35m16852[0;39m [2m---[0;39m [2m[nio-8100-exec-1][0;39m [36mo.s.s.w.s.HttpSessionRequestCache       [0;39m [2m:[0;39m Saved request http://localhost:8100/guest/home?continue to session
[2m2023-04-01T06:18:27.016+05:30[0;39m [32mDEBUG[0;39m [35m16852[0;39m [2m---[0;39m [2m[nio-8100-exec-1][0;39m [36mo.s.s.w.a.Http403ForbiddenEntryPoint    [0;39m [2m:[0;39m Pre-authenticated entry point called. Rejecting access
[2m2023-04-01T06:18:27.016+05:30[0;39m [32mDEBUG[0;39m [35m16852[0;39m [2m---[0;39m [2m[nio-8100-exec-1][0;39m [36mo.s.security.web.FilterChainProxy       [0;39m [2m:[0;39m Securing GET /error
[2m2023-04-01T06:18:27.017+05:30[0;39m [32mDEBUG[0;39m [35m16852[0;39m [2m---[0;39m [2m[nio-8100-exec-1][0;39m [36mo.s.s.w.a.AnonymousAuthenticationFilter [0;39m [2m:[0;39m Set SecurityContextHolder to anonymous SecurityContext
[2m2023-04-01T06:18:27.017+05:30[0;39m [32mDEBUG[0;39m [35m16852[0;39m [2m---[0;39m [2m[nio-8100-exec-1][0;39m [36mo.s.s.w.s.HttpSessionRequestCache       [0;39m [2m:[0;39m Saved request http://localhost:8100/error?continue to session
[2m2023-04-01T06:18:27.017+05:30[0;39m [32mDEBUG[0;39m [35m16852[0;39m [2m---[0;39m [2m[nio-8100-exec-1][0;39m [36mo.s.s.w.a.Http403ForbiddenEntryPoint    [0;39m [2m:[0;39m Pre-authenticated entry point called. Rejecting access
[2m2023-04-01T06:18:27.255+05:30[0;39m [32mDEBUG[0;39m [35m16852[0;39m [2m---[0;39m [2m[nio-8100-exec-2][0;39m [36mo.s.security.web.FilterChainProxy       [0;39m [2m:[0;39m Securing GET /home
[2m2023-04-01T06:18:27.256+05:30[0;39m [32mDEBUG[0;39m [35m16852[0;39m [2m---[0;39m [2m[nio-8100-exec-2][0;39m [36mo.s.security.web.FilterChainProxy       [0;39m [2m:[0;39m Secured GET /home
[2m2023-04-01T06:18:27.257+05:30[0;39m [32mDEBUG[0;39m [35m16852[0;39m [2m---[0;39m [2m[nio-8100-exec-2][0;39m [36mo.s.security.web.FilterChainProxy       [0;39m [2m:[0;39m Securing GET /guest/home
[2m2023-04-01T06:18:27.257+05:30[0;39m [32mDEBUG[0;39m [35m16852[0;39m [2m---[0;39m [2m[nio-8100-exec-2][0;39m [36mo.s.s.w.a.AnonymousAuthenticationFilter [0;39m [2m:[0;39m Set SecurityContextHolder to anonymous SecurityContext
[2m2023-04-01T06:18:27.258+05:30[0;39m [32mDEBUG[0;39m [35m16852[0;39m [2m---[0;39m [2m[nio-8100-exec-2][0;39m [36mo.s.s.w.s.HttpSessionRequestCache       [0;39m [2m:[0;39m Saved request http://localhost:8100/guest/home?continue to session
[2m2023-04-01T06:18:27.258+05:30[0;39m [32mDEBUG[0;39m [35m16852[0;39m [2m---[0;39m [2m[nio-8100-exec-2][0;39m [36mo.s.s.w.a.Http403ForbiddenEntryPoint    [0;39m [2m:[0;39m Pre-authenticated entry point called. Rejecting access
[2m2023-04-01T06:18:27.258+05:30[0;39m [32mDEBUG[0;39m [35m16852[0;39m [2m---[0;39m [2m[nio-8100-exec-2][0;39m [36mo.s.security.web.FilterChainProxy       [0;39m [2m:[0;39m Securing GET /error
[2m2023-04-01T06:18:27.259+05:30[0;39m [32mDEBUG[0;39m [35m16852[0;39m [2m---[0;39m [2m[nio-8100-exec-2][0;39m [36mo.s.s.w.a.AnonymousAuthenticationFilter [0;39m [2m:[0;39m Set SecurityContextHolder to anonymous SecurityContext
[2m2023-04-01T06:18:27.259+05:30[0;39m [32mDEBUG[0;39m [35m16852[0;39m [2m---[0;39m [2m[nio-8100-exec-2][0;39m [36mo.s.s.w.s.HttpSessionRequestCache       [0;39m [2m:[0;39m Saved request http://localhost:8100/error?continue to session
[2m2023-04-01T06:18:27.259+05:30[0;39m [32mDEBUG[0;39m [35m16852[0;39m [2m---[0;39m [2m[nio-8100-exec-2][0;39m [36mo.s.s.w.a.Http403ForbiddenEntryPoint    [0;39m [2m:[0;39m Pre-authenticated entry point called. Rejecting access

I am expecting that when I hit public URLs which are permitAll in security Filter chain they should be accessible.

Mahesh Kumar
  • 1
  • 2

1 Answers1

0

In spring security 6, the Authorization filter applies to every dispatch type. i.e DispatcherType.ERROR, DispatcherType.ASYNC, In order to disable filtering on above dispatcher type,

Update like this:

http.csrf(csrf -> csrf
         .disable())
        .authorizeHttpRequests(auth ->  auth
        .requestMatchers("/home")
        .permitAll()
        .dispatcherTypeMatchers(DispatcherType.ERROR)
        .permitAll()
        .anyRequest()
        .authenticated());
Kavitha Hawaldar
  • 1