Home > OS >  403 forbidden error on authentication filter
403 forbidden error on authentication filter

Time:03-14

I am working on a basic spring boot api using mysql as database I created an endpoint for signup user("/users") which is bcrypt the password while login i created a authentication filter which is adding jwt token in the header of response but while accesing endpoint ("/login") i am getting 403 error, I have already configured the ant match for request named "/login"

**Web Security Configuration **

package com.mukul.app.mobileappws.security;

import com.mukul.app.mobileappws.security.FIlter.AuthenticationFilter;
import com.mukul.app.mobileappws.services.UserService;

import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;

import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;

@Configuration
@EnableWebSecurity
public class ConfigurationSecurity extends WebSecurityConfigurerAdapter {
    UserService userService;
    BCryptPasswordEncoder bcrypt;

    ConfigurationSecurity(UserService u, BCryptPasswordEncoder b) {
        this.userService = u;
        this.bcrypt = b;
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        // http.authorizeRequests().antMatchers(HttpMethod.POST,
        // "/users").permitAll().anyRequest()
        // .authenticated();
        //
        AuthenticationFilter af = new AuthenticationFilter(authenticationManager());
       
        http.csrf().disable();
        http.authorizeRequests().antMatchers(HttpMethod.POST,
                "/users").permitAll();

        http.authorizeRequests().antMatchers("/login").permitAll();
        http.authorizeRequests().anyRequest()
                .authenticated();
        http.addFilter(af);

    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(userService).passwordEncoder(bcrypt);
    }

}

Authentication filter

package com.mukul.app.mobileappws.security.FIlter;

import java.io.IOException;
import java.util.Date;

import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import com.mukul.app.mobileappws.security.SecurityConstants;

import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;

import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;

public class AuthenticationFilter extends UsernamePasswordAuthenticationFilter {
    private AuthenticationManager authManager;

    public AuthenticationFilter(AuthenticationManager am) {
        this.authManager = am;
    }

    @Override
    public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response)
            throws AuthenticationException {
        final String email = request.getParameter("email");
        final String password = request.getParameter("password");

        return authManager.authenticate(new UsernamePasswordAuthenticationToken(email, password));
    }

    @Override
    protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain,
            Authentication auth) throws IOException, ServletException {

        // generate token
        User u = (User) auth.getPrincipal();
        String email = u.getUsername();
        String token = Jwts.builder()
                .setSubject(email)
                .setExpiration(new Date(System.currentTimeMillis()   SecurityConstants.EXPIRE))
                .signWith(SignatureAlgorithm.HS512, SecurityConstants.SECRET)
                .compact();
        response.addHeader(SecurityConstants.HEADER, SecurityConstants.PREFIX   token);

        super.successfulAuthentication(request, response, chain, auth);
    }

}

Postman Trigger request

This is how you need to trigger your request if you are reading from request.getParameter(parameterName). Please note that I have received 404 error because Spring is trying to redirect me to '/' post successful login which doesn't exist. :)

  • Related