SpringSecurityConfiguration - permitAll() does not work-CodePudding

I'm trying to configure SpringSecurity for my application, but despite using permitAll() for one of my endpoints(/api/authorization/company-login) I keep getting 404 exceptions. For other endpoints, I get 403 (Forbidden) which is completely right cause I also use anyRequest().authenticated(), for the others. So it seems that while anyRequest().authenticated() works, permitAll doesn't.

I'm also sure that I put it in the right order, cause my permitAll() is before anyRequest().authenticated().

Path to the endpoint also seems right cause if I would change path in: antMatchers("/api/authorization/company-login").permitAll() for some other then for /api/authorization/company-login I'm getting 403 (what is expected in such case). I'm not sure what is wrong in my configuration and how to make /api/authorization/company-login endpoint accessible for all.

Dependencies I use for spring security:

<!-- Spring Security -->
<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-test</artifactId>
</dependency>

My spring security configuration:

@Configuration
@EnableWebSecurity
public class SpringSecurityConfiguration {

    @Autowired
    private GoAuthorizationFilter goAuthorizationFilter;

    @Autowired
    private GoAuthenticationEntryPoint goAuthenticationEntryPoint;

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http.cors().and().csrf().disable()
                .exceptionHandling()
                .authenticationEntryPoint(goAuthenticationEntryPoint).and()
                .sessionManagement().and().sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and()
                .addFilterBefore(goAuthorizationFilter, UsernamePasswordAuthenticationFilter.class)
                .authorizeRequests()
                .antMatchers("/api/authorization/company-login").permitAll()
                .anyRequest().authenticated();

        return http.build();
    }

Authentication Entry Point:

@Component
public class GoAuthenticationEntryPoint implements AuthenticationEntryPoint {
    @Override
    public void commence(HttpServletRequest request, HttpServletResponse response,
                         AuthenticationException authException) throws IOException {
        response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Unauthorized");
    }
}

GoAuthorizationFilter:

@Service
public class GoAuthorizationFilter extends OncePerRequestFilter {

    @Transactional
    @Override
    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
            throws ServletException, IOException {
        filterChain.doFilter(request, response);
    }
}

While I was trying to make it work I also got rid of AuthenticationEntryPoint but it seemed to have no impact. What is more my filter has no logic implemented yet, so I know that it is not the cause of my problem.

My question is, what is wrong with my configuration, and why despite permitAll() I'm receiving 404 exceptions?

CodePudding user response：

Error 404 means that the endpoint (/api/authorization/company-login) is not found, meaning there is no controller registered on that path mapping.

Make sure that this path is correct in your configuration and matches the controller mapping.

CodePudding user response：

if you are getting 404 so it is working because 404 is for not found and 403 is for authorization . check your URL at controller first and then check output of the calling method in controller.