Home > Net >  How to permitAll anonymous access in Spring boot 3 or above?
How to permitAll anonymous access in Spring boot 3 or above?

Time:12-24

After upgraded to spring boot 3.0.0 from 2.7.6, public api are not accessible,

@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
    return http.csrf(CsrfConfigurer::disable)
    .authorizeHttpRequests(requests -> requests
            .anyRequest().authenticated())
            .oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt)
            .build();
}

@Bean
public WebSecurityCustomizer webSecurityCustomizer() {
    return web -> web.ignoring().requestMatchers(CorsUtils::isPreFlightRequest) 
            .requestMatchers("/actuator/**", "/graphiql/**", "/voyager/**", "/vendor/**", "/rest/**",
                    "/swagger-ui/**", "/v3/api-docs/**");
}

CodePudding user response:

The methods have not changed too much.

Sample :

@Bean
SecurityFilterChain web(HttpSecurity http) throws Exception {
    http
        // ...
        .authorizeHttpRequests(authorize -> authorize                                  
            .requestMatchers("/resources/**", "/signup", "/about").permitAll()         
            .requestMatchers("/admin/**").hasRole("ADMIN")                             
            .requestMatchers("/db/**").access(new WebExpressionAuthorizationManager("hasRole('ADMIN') and hasRole('DBA')"))   
            // .requestMatchers("/db/**").access(AuthorizationManagers.allOf(AuthorityAuthorizationManager.hasRole("ADMIN"), AuthorityAuthorizationManager.hasRole("DBA")))   
            .anyRequest().denyAll()                                                
        );

    return http.build();
}

Provided of https://docs.spring.io/spring-security/reference/servlet/authorization/authorize-http-requests.html

EDIT : To complete my answer, you have access to all methods, so to set up a resource server you need to add this :

@Bean
SecurityFilterChain web(HttpSecurity http) throws Exception {
    http
        // ...
        .authorizeHttpRequests(authorize -> authorize                                  
            // ...                                                
        )
        .and()
        .oauth2ResourceServer( OAuth2ResourceServerConfigurer::jwt )


    return http.build();
}

Remember to add the variables corresponding to your OAuth2 provider

spring.security.oauth2.resourceserver.jwt.issuer-uri=https://{your-ouath2-provider}/{issuer-uri}
spring.security.oauth2.resourceserver.jwt.jwk-set-uri=https://{your-ouath2-provider}/{jwk-uri} (optionnal)

The links depend on your oauth2 provider.

For more information about the resource owner server : https://docs.spring.io/spring-security/reference/servlet/oauth2/resource-server/index.html

CodePudding user response:

You are almost there: move what you did in WebSecurityCustomizer in SecurityFilterChain definition:

@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
    return http.csrf(CsrfConfigurer::disable)
        .authorizeHttpRequests(requests -> requests
            .requestMatchers("/resources/**", "/signup", "/about").permitAll() 
            .anyRequest().authenticated())
        .oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt)
        .build();
}

Few notes:

  • never disable CSRF protection if you don't also disable sessions with http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
  • CORS is configured with SecurityFilterChain too: http.cors().configurationSource(corsConfigurationSource())
  • you might need to map roles or groups or whatever your authorization-server populates as private-claim to Spring authorities by providing your own jwtAuthenticationConverter to JWT oauth2ResourceServer configurer

You can do all of above with no Java conf (just a few properties) with thin wrappers around spring-boot-starter-oauth2-resource-server I wrote:

        <dependency>
            <groupId>com.c4-soft.springaddons</groupId>
            <artifactId>spring-addons-webmvc-jwt-resource-server</artifactId>
            <version>6.0.9</version>
        </dependency>

@EnableMethodSecurity
public static class SecurityConfig {
}

com.c4-soft.springaddons.security.issuers[0].location=https://localhost:8443/realms/master
# This is adapted to Keycloak with a client-id spring-addons-public. Replace with the claim(s) your authorization-server puts roles into
com.c4-soft.springaddons.security.issuers[0].authorities.claims=realm_access.roles,resource_access.spring-addons-public.roles

# you might want something more restrictive as allowed origins (accepts a list), at least for a part of your endpoints
com.c4-soft.springaddons.security.cors[0].path=/**
com.c4-soft.springaddons.security.cors[0].allowed-origins=*

Complete (short) tutorials there (with spring libs only or "my" wrappers): https://github.com/ch4mpy/spring-addons/tree/master/samples/tutorials

Page link:https//www.codepudding.com/net/652049.html

Prev:How do I retrieve the Nth item in multiple sorted lists as if there was one overall sorted list?
Next:Read hashmap with inner array of objects in java
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding