0

I am migrating from Spring Security 5.7.x to 6.1.0. After fixing all the javax -> jakarta and remove WebSecurityConfigurerAdapter and added the security configuration from the dependency. And now it seems like my main project is ignoring the security configuration from dependency.

The security configuration from the dependency.

@Configuration
@EnableWebSecurity
@RequiredArgsConstructor
@Slf4j
public class WebSecurityConfig {

    final private AuthFilter authFilter;

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        return http
                .formLogin(AbstractHttpConfigurer::disable)
                .csrf(AbstractHttpConfigurer::disable)
                .sessionManagement(sessionManager -> sessionManager.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
                .exceptionHandling(exceptionHandling -> exceptionHandling.authenticationEntryPoint(
                        (request, response, ex) -> {
                    log.error("Unauthorized request - {}", ex.getMessage());
                    response.sendError(HttpServletResponse.SC_UNAUTHORIZED, ex.getMessage());
                }))
                .authorizeHttpRequests(
                        authorizeHttpRequest -> authorizeHttpRequest
                                .requestMatchers("/**").permitAll()
                                .anyRequest().authenticated())
                .addFilterBefore(authFilter, UsernamePasswordAuthenticationFilter.class)
                .httpBasic(Customizer.withDefaults())
                .build();
    }

AuthFilter

@Component
@RequiredArgsConstructor
@Slf4j
public class AuthFilter extends OncePerRequestFilter {}

I'm expecting the AuthFilter will be called first but it didn't even run to it. Seems like it's ignored.

Anyone has any ideas which lead to this? Let me know which part of the configuration you wanted to take a look.

infD
  • 43
  • 7
  • 2
    Your security rules don't make sense. `.requestMatchers("/**").permitAll()` allows all access whereas `.anyRequest().authenticated()` needs authentication. The last one is now useless as the first one will always match. Another thing is you need a `FilterRegistrationBean` to prevent the `AuthFilter` be registered as a default filter (which executes before Spring Security). – M. Deinum Jun 21 '23 at 08:27
  • Yep, sorry about the security rules because I cannot public it. The main logic is actually in AuthFilter of which I cannot public it also. Normally it should be called but it didn't since I migrated the version. So I'm seeking for help if I missed any configuration? – infD Jun 21 '23 at 08:32
  • enable spring security trace logs, and read them it should say exactly what filters it is passing. But without more information or a working running example this is impossible to answer. – Toerktumlare Jun 21 '23 at 09:07

2 Answers2

0

The problem might be related to your custom bean name filterChain being the same as some other coming from the context. Could you try renaming it?

@Configuration
@EnableWebSecurity
@RequiredArgsConstructor
@Slf4j
public class WebSecurityConfig {

    final private AuthFilter authFilter;

    @Bean
    public SecurityFilterChain myCustomFilterChain(HttpSecurity http) throws Exception {
codependent
  • 23,193
  • 31
  • 166
  • 308
0

Can you please add WebSecurityConfig in org.springframework.boot.autoconfigure.AutoConfiguration.imports file which is defined under the resources directory shown in image.

directory structure

Kavitha Hawaldar
  • 1