After updating Spring Boot to version 3.0.1 and Spring Security 6.0 the public endpoints without authentication are no longer working. I'm followed the upgrade guide for Spring Security 6 and removed the WebSecurityConfigurerAdapter.
My Security Config:
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true, jsr250Enabled = true)
public class SecurityConfig {
@Value("${auth0.audience}")
private String audience;
@Value("${spring.security.oauth2.resourceserver.jwt.issuer-uri}")
private String issuer;
@Bean
JwtDecoder jwtDecoder() {
NimbusJwtDecoder jwtDecoder = (NimbusJwtDecoder)
JwtDecoders.fromOidcIssuerLocation(issuer);
OAuth2TokenValidator<Jwt> audienceValidator = new AudienceValidator(audience);
OAuth2TokenValidator<Jwt> withIssuer = JwtValidators.createDefaultWithIssuer(issuer);
OAuth2TokenValidator<Jwt> withAudience = new DelegatingOAuth2TokenValidator<>(withIssuer, audienceValidator);
jwtDecoder.setJwtValidator(withAudience);
return jwtDecoder;
}
@Bean
public SecurityFilterChain filterChain(HttpSecurity httpSecurity) throws Exception {
return httpSecurity
.csrf(csrf -> csrf.disable())
.authorizeHttpRequests(auth -> auth
.requestMatchers("/rest/public/**").permitAll()
.anyRequest().authenticated()
)
.sessionManagement(sess -> sess.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
.oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt)
.build();
}
}
I'm using Postman to execute GET-Calls (eg. http://localhost:8090/rest/public/export/) to my application and it keeps telling me that authentication is need -> 401 Unauthenticated
Spring Security specific Startup Logs
swordEncoderAuthenticationManagerBuilder : No authenticationProviders and no parentAuthenticationManager defined. Returning null.
o.s.s.web.DefaultSecurityFilterChain : Will secure any request with [org.springframework.security.web.session.DisableEncodeUrlFilter@6acb45c1, org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@294c44b7, org.springframework.security.web.context.SecurityContextHolderFilter@5dd23809, org.springframework.security.web.header.HeaderWriterFilter@13390a96, org.springframework.security.web.csrf.CsrfFilter@af9dd34, org.springframework.security.web.authentication.logout.LogoutFilter@3f80d8c, org.springframework.security.oauth2.server.resource.web.authentication.BearerTokenAuthenticationFilter@41bd6a0f, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@60ab895f, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@78bd02c8, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@30bbe83, org.springframework.security.web.access.ExceptionTranslationFilter@57b33c29, org.springframework.security.web.access.intercept.AuthorizationFilter@3c8fe8ad]
o.s.b.w.embedded.tomcat.TomcatWebServer : Tomcat started on port(s): 8090 (http) with context path
Logs when calling an public endpoint:
o.s.security.web.FilterChainProxy : Securing GET /rest/public/export/
o.s.s.w.a.AnonymousAuthenticationFilter : Set SecurityContextHolder to anonymous SecurityContext
o.s.s.w.s.HttpSessionRequestCache : Saved request http://localhost:8090/rest/public/export/?continue to session
I've followed this guide: https://docs.spring.io/spring-security/reference/migration/index.html
CodePudding user response:
You need to declare your class as @Configuration because otherwise the declared @Beans won't be created and registered in the application context. It should look like this:
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true, jsr250Enabled = true)
public class SecurityConfig {