Home > Software engineering >  antMatchers() is not working , and gives forbidden error
antMatchers() is not working , and gives forbidden error

Time:11-03

I have an end-point called authenticate , this endpoint is given to antMatchers("/authenticate") to skip authorization for this end-point, but it still checks for the authentication.

code:

   @Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
    // We don't need CSRF for this example
    httpSecurity.csrf().disable()
            // dont authenticate this particular request
            .authorizeRequests().antMatchers("/authenticate").permitAll()
            // all other requests need to be authenticated
            .and().authorizeRequests()
            .anyRequest().authenticated()
            .and()
            // make sure we use stateless session; session won't be used to
            // store user's state.
            .exceptionHandling().authenticationEntryPoint(jwtAuthenticationEntryPoint)
            .and().sessionManagement()
            .sessionCreationPolicy(SessionCreationPolicy.STATELESS);

    // Add a filter to validate the tokens with every request
    httpSecurity.addFilterBefore(jwtRequestFilter, UsernamePasswordAuthenticationFilter.class);
}

CodePudding user response:

try adding this method it make sure this endpoint is ignored.

@Override
    public void configure(final WebSecurity web) throws Exception {
        web.ignoring().antMatchers("/authenticate");

    }

CodePudding user response:

If cannot be evaluated, just pass through at your authentication filter.

    @Override
    protected void doFilterInternal(final HttpServletRequest req,
        final HttpServletResponse res,
        final FilterChain chain) throws IOException, ServletException {
        final String header = req.getHeader("Authorization");

        if (header == null || !header.startsWith("Bearer ")) {
            // if cannot be evaluated
            chain.doFilter(req, res);
            return;
        }

        // do authentication

        // SecurityContextHolder.getContext().setAuthentication() if authenticated normally
        // throw AuthenticationException if received illegal credentials
    }

See also AbstractAuthenticationProcessingFilter#attemptAuthentication() javadoc:

The implementation should do one of the following:

  1. Return a populated authentication token for the authenticated user, indicating successful authentication
  2. Return null, indicating that the authentication process is still in progress. Before returning, the implementation should perform any additional work required to complete the process.
  3. Throw an AuthenticationException if the authentication process fails

Page link:https//www.codepudding.com/Softwareengineering/176944.html

Prev:ORA-12154: Can't Connect to Default Oracle XE 21c Database on Windows 10
Next:Kafka Consumer throwing "OutOfMemoryError: Java heap space" Error on SSL
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding