Home > other >  I have blocked the URL for a user who is not logged in, but after the user logs in he still cannot a
I have blocked the URL for a user who is not logged in, but after the user logs in he still cannot a

Time:10-06

Title says it all.

  • WebSecurityConfig

    @Override
    protected void configure(HttpSecurity http) throws Exception {
      http.cors().and().csrf().disable()
              .exceptionHandling().authenticationEntryPoint(unauthorizedHandler).and()
              .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
              .authorizeRequests().antMatchers("/api/auth/**").permitAll()
              .antMatchers("/api/users/**").authenticated()
              .antMatchers(h2ConsolePath   "/**").permitAll().and()
              .formLogin().loginPage("/api/auth/loginAndRegisterForm")
              .successForwardUrl("/api/users/tripAdvisorHomePage").and()
              .logout().logoutUrl("/api/auth/logout").logoutSuccessUrl("/api/auth/loginAndRegisterForm")
              .permitAll();
      http.headers().frameOptions().sameOrigin();
      http.addFilterBefore(authenticationJwtTokenFilter(), UsernamePasswordAuthenticationFilter.class);
    }
    

As you can see I have .antMatchers("/api/users/**").authenticated() and that works, I cant access that URL, getting Unauthorized error: Full authentication is required to access this resource with code 401.

But when I go back and enter a credentials and get redirected to successForwardUrl("/api/users/tripAdvisorHomePage") its still Full authentication is required.

  • This is my login method:

    @PostMapping("/login")
    @Transactional
    public ResponseEntity<?> login(@Valid @ModelAttribute("login") 
    LoginRequest loginRequest, Model model) {
      Authentication authentication = authenticationManager.
              authenticate(new UsernamePasswordAuthenticationToken(loginRequest.getUsername(), loginRequest.getPassword()));
      SecurityContextHolder.getContext().setAuthentication(authentication);
      UserDetailsImpl user = (UserDetailsImpl) authentication.getPrincipal();
    
      ResponseCookie jwtCookie = jwtHelper.generateJwtCookie(user);
      System.out.println(jwtCookie);
    
    
      model.addAttribute("login", loginRequest);
    
      HttpHeaders headers = new HttpHeaders();
      ResponseEntity.ok().header(HttpHeaders.SET_COOKIE, jwtCookie.toString());
      headers.add("Location", "/api/users/tripAdvisorHomePage");
      return new ResponseEntity<String>(headers, HttpStatus.FOUND);
    
  • This is my method to show page if user is logged in.

    @GetMapping("/tripAdvisorHomePage")
    public String index() {
      return "tripAdvisorHomePage";
    }
    

And on top of class I have @RequestMapping("/api/users") so the URL for that index API is like in WebSecurityConfig - "/api/users/tripAdvisorHomePage"

I tried to find something useful around but there are all specific ways for each and other and so far I had no success.

CodePudding user response:

I may be mistaken here, but the following looks odd:

  HttpHeaders headers = new HttpHeaders();
  ResponseEntity.ok().header(HttpHeaders.SET_COOKIE, jwtCookie.toString()); // What now?
  headers.add("Location", "/api/users/tripAdvisorHomePage");
  return new ResponseEntity<String>(headers, HttpStatus.FOUND);

The Set-Cookie header is never part of the actually returned ResponseEntity. Try adding the Set-Cookie and Location header to the same response entity:

return ResponseEntity
  .status(HttpStatus.FOUND)
  .location("/api/users/tripAdvisorHomePage")
  .header(HttpHeaders.SET_COOKIE, jwtCookie.toString())
  .build();

(untested)

  • Related