Home > other >  I have blocked the URL for a user who is not logged in, but after the user logs in he still cannot a
I have blocked the URL for a user who is not logged in, but after the user logs in he still cannot a

Time:10-06

Title says it all.

  • WebSecurityConfig

    @Override
protected void configure(HttpSecurity http) throws Exception {
  http.cors().and().csrf().disable()
          .exceptionHandling().authenticationEntryPoint(unauthorizedHandler).and()
          .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
          .authorizeRequests().antMatchers("/api/auth/**").permitAll()
          .antMatchers("/api/users/**").authenticated()
          .antMatchers(h2ConsolePath   "/**").permitAll().and()
          .formLogin().loginPage("/api/auth/loginAndRegisterForm")
          .successForwardUrl("/api/users/tripAdvisorHomePage").and()
          .logout().logoutUrl("/api/auth/logout").logoutSuccessUrl("/api/auth/loginAndRegisterForm")
          .permitAll();
  http.headers().frameOptions().sameOrigin();
  http.addFilterBefore(authenticationJwtTokenFilter(), UsernamePasswordAuthenticationFilter.class);
}

As you can see I have .antMatchers("/api/users/**").authenticated() and that works, I cant access that URL, getting Unauthorized error: Full authentication is required to access this resource with code 401.

But when I go back and enter a credentials and get redirected to successForwardUrl("/api/users/tripAdvisorHomePage") its still Full authentication is required.

  • This is my login method:

    @PostMapping("/login")
@Transactional
public ResponseEntity<?> login(@Valid @ModelAttribute("login") 
LoginRequest loginRequest, Model model) {
  Authentication authentication = authenticationManager.
          authenticate(new UsernamePasswordAuthenticationToken(loginRequest.getUsername(), loginRequest.getPassword()));
  SecurityContextHolder.getContext().setAuthentication(authentication);
  UserDetailsImpl user = (UserDetailsImpl) authentication.getPrincipal();

  ResponseCookie jwtCookie = jwtHelper.generateJwtCookie(user);
  System.out.println(jwtCookie);


  model.addAttribute("login", loginRequest);

  HttpHeaders headers = new HttpHeaders();
  ResponseEntity.ok().header(HttpHeaders.SET_COOKIE, jwtCookie.toString());
  headers.add("Location", "/api/users/tripAdvisorHomePage");
  return new ResponseEntity<String>(headers, HttpStatus.FOUND);

  • This is my method to show page if user is logged in.

    @GetMapping("/tripAdvisorHomePage")
public String index() {
  return "tripAdvisorHomePage";
}

And on top of class I have @RequestMapping("/api/users") so the URL for that index API is like in WebSecurityConfig - "/api/users/tripAdvisorHomePage"

I tried to find something useful around but there are all specific ways for each and other and so far I had no success.

CodePudding user response:

I may be mistaken here, but the following looks odd:

  HttpHeaders headers = new HttpHeaders();
  ResponseEntity.ok().header(HttpHeaders.SET_COOKIE, jwtCookie.toString()); // What now?
  headers.add("Location", "/api/users/tripAdvisorHomePage");
  return new ResponseEntity<String>(headers, HttpStatus.FOUND);

The Set-Cookie header is never part of the actually returned ResponseEntity. Try adding the Set-Cookie and Location header to the same response entity:

return ResponseEntity
  .status(HttpStatus.FOUND)
  .location("/api/users/tripAdvisorHomePage")
  .header(HttpHeaders.SET_COOKIE, jwtCookie.toString())
  .build();

(untested)

Page link:https//www.codepudding.com/other/567114.html

Prev:How to detect from where 404 error is coming? debugger calls the method and works fine but then stil
Next:How do I verify if the next token in a Scanner class is empty in order to differentiate between loop
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding