Home > Mobile >  Spring Security-Configuration seems to have no effect
Spring Security-Configuration seems to have no effect

Time:04-16

I want to create a simple login - I already created one, and it worked as is should - but when I start this server, it gives the following output:

2022-04-15 20:02:27.303  INFO 45172 --- [           main] o.s.s.web.DefaultSecurityFilterChain     : Will not secure any request

This is the corresponding config-file:

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    private final IUserService userService;

    @Autowired
    public SecurityConfig(IUserService userService){
        this.userService = userService;
    }

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(userService);
    }

    @Override
    public void configure(WebSecurity webSecurity) throws Exception {
        webSecurity.ignoring().antMatchers("/mw_rest_api/**");
    }

    @Override
    public void configure(HttpSecurity httpSecurity) throws Exception {
        httpSecurity
                .authorizeRequests()
                    .antMatchers("/login", "/register", "/assets/**").permitAll()
                    .antMatchers("/", "/control-panel", "/control-panel/**").hasRole("ADMIN")
                    .anyRequest().authenticated()
                    .and()
                .formLogin()
                    .loginPage("/login")
                    .permitAll()
                    .successHandler(loginSuccessHandler())
                    .failureHandler(loginFailureHandler())
                    .and()
                .logout()
                    .permitAll()
                    .logoutSuccessUrl("/login");
    }
}

Now I am wondering if I have forgotten something, which I dont see? Or is this a bug of Spring itself?

CodePudding user response:

In configure() method you need to disable cref() then you can give your authorizeRequests() with antMatchers() I thnk every think is fine

@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.authenticationProvider(authenticationProvider());

    }

    @Autowired
    private UserDetailsService userDetailsService;

    @Bean
    public AuthenticationProvider authenticationProvider() {
        DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
        provider.setUserDetailsService(userDetailsService);
        provider.setPasswordEncoder(NoOpPasswordEncoder.getInstance());
        return provider;
    }

    @Override
    @Bean
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }

    protected void configure(HttpSecurity http) throws Exception {
        http
                .csrf().disable()
                .authorizeRequests().antMatchers("/login", "/post/blog/**", "/post/viewpost", "/authentication/create").permitAll()
                .antMatchers("/post/filter/page/**", "/post/sorted/page/**", "/post/search/page/**").permitAll()
                .antMatchers("/authentication/register", "/review/comment/**").permitAll()
                .antMatchers("/post/newPost", "/post/publish", "/post/update", "/post/delete").hasAnyAuthority("ADMIN", "AUTHOR")
                .antMatchers( "/review/updateComment", "/review/deleteComment").hasAnyAuthority("ADMIN", "AUTHOR", "USER")
                .antMatchers("/rest/authenticate", "/rest/blog/**", "/rest/viewpost/**", "/rest/create").permitAll()
                .antMatchers("/rest/filter/page/**", "/rest/sorted/page/**", "/rest/search/page/**", "/rest/comment").permitAll()
                .antMatchers("/post/register").permitAll()
                .antMatchers("/rest/newPost", "/rest/publish", "/rest/update", "/rest/delete").hasAnyAuthority("ADMIN", "AUTHOR")
                .antMatchers("/rest/comment/**", "/rest/updateComment/**", "/post/deleteComment/**").hasAnyAuthority("ADMIN", "AUTHOR", "USER")
                .anyRequest().authenticated()
                .and()
                .formLogin()
                .loginPage("/authentication/login").permitAll()
                .defaultSuccessUrl("/post/blog")
                .and()
                .logout().invalidateHttpSession(true)
                .clearAuthentication(true)
                .logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
                .logoutSuccessUrl("/authentication/logout-success").permitAll();
    }
}

This is my code you can take it for reference

And I was using jwt for rest API.

CodePudding user response:

Remove permitAll() after logout() Remove permitAll() after login("...")

  • Related