Spring security 401 Unauthorized even with permitAll
Solution 1
I had the same issue, not sure, but I think you need this order:
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers(HttpMethod.POST, "/api/auth/**")
.permitAll()
.antMatchers("/",
"/favicon.ico",
"/**/*.png",
"/**/*.gif",
"/**/*.svg",
"/**/*.jpg",
"/**/*.html",
"/**/*.css",
"/**/*.js")
.permitAll()
.anyRequest()
.authenticated()
.and()
.cors()
.and()
.exceptionHandling()
.authenticationEntryPoint(this.jwtAuthenticationEntryPoint)
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.csrf()
.disable();
// Add our custom JWT security filter
http.addFilterBefore(jwtAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class);
}
Solution 2
Your configuration is not working due to order in which the antMatcher is evaluated
.and()
.authorizeRequests()
.antMatchers("/",
"/favicon.ico",
"/**/*.png",
"/**/*.gif",
"/**/*.svg",
"/**/*.jpg",
"/**/*.html",
"/**/*.css",
"/**/*.js")
.permitAll()
.antMatchers(HttpMethod.POST, "/api/auth/**")
.permitAll()
.anyRequest()
.authenticated();
The order of the request match rule matters and more specific rules should go first. There is some conflict between both antMatcher rules and therefore the second rule i.e .antMatchers(HttpMethod.POST, "/api/auth/")** is ignored.
Therefore the order should be following :-
.antMatchers(HttpMethod.POST, "/api/auth/**")
.permitAll()
.antMatchers("/",
"/favicon.ico",
"/**/*.png",
"/**/*.gif",
"/**/*.svg",
"/**/*.jpg",
"/**/*.html",
"/**/*.css",
"/**/*.js")
.permitAll()
Ayoub k
Updated on August 16, 2022Comments
-
Ayoub k over 1 year
I'm using Spring security to secure some endpoints in my REST service.
here's the security configuration class:
@Configuration @EnableWebSecurity @EnableGlobalMethodSecurity(securedEnabled = true, jsr250Enabled = true, prePostEnabled = true) public class SecurityConfig extends WebSecurityConfigurerAdapter { // Other methods @Override protected void configure(HttpSecurity http) throws Exception { http .cors() .and() .csrf() .disable() .exceptionHandling() .authenticationEntryPoint(this.jwtAuthenticationEntryPoint) .and() .sessionManagement() .sessionCreationPolicy(SessionCreationPolicy.STATELESS) .and() .authorizeRequests() .antMatchers("/", "/favicon.ico", "/**/*.png", "/**/*.gif", "/**/*.svg", "/**/*.jpg", "/**/*.html", "/**/*.css", "/**/*.js") .permitAll() .antMatchers(HttpMethod.POST, "/api/auth/**") .permitAll() .anyRequest() .authenticated(); // Add our custom JWT security filter http.addFilterBefore(jwtAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class); } }
As you can see i'm given the full access to /api/auth/signup and /api/auth/signin by using:
.antMatchers(HttpMethod.POST, "/api/auth/**").permitAll()
for some reason when i tried those request in the postman, the "signup" request worked fine, but "signin" didn't works and gives me "401 Unauthorized"
i tried also.antMatchers("/**").permitAll()
here's my controller:
@RestController public class UserController { private UserService userService; @Autowired public UserController(UserService userService) { this.userService = userService; } @PostMapping("/api/auth/signup") public ResponseEntity<RestResponse> registerUser(@Valid @RequestBody SignUpRequest signUpRequest, UriComponentsBuilder uriComponentsBuilder) { RestResponse restResponse = this.userService.register(signUpRequest); UriComponents uriComponents = uriComponentsBuilder.path("/users").buildAndExpand(); return ResponseEntity.created(uriComponents.toUri()).body(restResponse); } @PostMapping("/api/auth/signin") public ResponseEntity<JwtAuthenticationResponse> authenticateUser(@Valid @RequestBody LoginRequest loginRequest) { return ResponseEntity.ok(this.userService.login(loginRequest)); } }
-
vsk.rahul over 4 yearsWhat is the issue in mine: http.authorizeRequests().antMatchers(HttpMethod.GET, "/get/**").permitAll(); I am still getting Unauthorized error.
-
Francisco Souza over 4 yearsI tried exactly as you pointed above and nothing, still giving the 401 status code.