Java Community | Help. Code. Learn.•4w ago

Spring Boot Security Hell

Currently I am building some web app. The problem is that I have a login method dedicated for anyone to use:

@PostMapping("/login")
public @NotNull ResponseEntity<@Nullable String> requestNormalLogin(@NotNull @RequestBody UserLoginModel model)
{
    throw new ResponseStatusException(HttpStatus.FAILED_DEPENDENCY);
    /*log.info("The server has recognized an incoming normal login request login name {}.", model.loginName());
    return getService().requestLogin(model).map((token) ->
    {
        String jwt = token.jwt();
        return ResponseEntity.ok(jwt);
    }).orElseThrow(this::unauthorizedThrowable);*/
}

@PostMapping("/login")
public @NotNull ResponseEntity<@Nullable String> requestNormalLogin(@NotNull @RequestBody UserLoginModel model)
{
    throw new ResponseStatusException(HttpStatus.FAILED_DEPENDENCY);
    /*log.info("The server has recognized an incoming normal login request login name {}.", model.loginName());
    return getService().requestLogin(model).map((token) ->
    {
        String jwt = token.jwt();
        return ResponseEntity.ok(jwt);
    }).orElseThrow(this::unauthorizedThrowable);*/
}

As it can be seen I've directly told it to throw FAILED_DEPENDENCY (just as a test), because my security config:

csrf.addFilterBefore(jwtFilter, clazz).authorizeHttpRequests(auth ->
{
    auth.requestMatchers(HttpMethod.POST, "/api/v1/user/login").anonymous();
    auth.requestMatchers(HttpMethod.GET,"/api/v1/user/logout").permitAll();
    auth.anyRequest().authenticated();
});

csrf.addFilterBefore(jwtFilter, clazz).authorizeHttpRequests(auth ->
{
    auth.requestMatchers(HttpMethod.POST, "/api/v1/user/login").anonymous();
    auth.requestMatchers(HttpMethod.GET,"/api/v1/user/logout").permitAll();
    auth.anyRequest().authenticated();
});

always makes it return 403 when an exception occurred. No matter what exception is thrown, it answers with a 403 when using the endpoint "/api/v1/user/login". When no error is thrown it works, so I don't know what is going on...

13 Replies

JavaBot•4w ago

⌛ This post has been reserved for your question.

Hey @Groldi! Please use /close or the Close Post button above when your problem is solved. Please remember to follow the help guidelines. This post will be automatically marked as dormant after 300 minutes of inactivity.

TIP: Narrow down your issue to simple and precise questions to maximize the chance that others will reply in here.

dan1st•4w ago

My guess is CSRF Do you include CSRF tokens in the request? .

GroldiOP•4w ago

I do not Wait

@Slf4j @Order(1) @AllArgsConstructor @Getter(AccessLevel.PROTECTED)
public class JwtAuthorizationFilter extends OncePerRequestFilter
{
    private final UserService userService;

    @Override protected void doFilterInternal(@NotNull HttpServletRequest request,@NotNull HttpServletResponse response, @NotNull FilterChain filterChain) throws ServletException, IOException
    {
        try
        {
            // first check header then cookies
            String token = checkHeader(request).or(() -> checkCookies(request)).orElse("");
            getUserService().validate(token).ifPresentOrElse((auth) ->
            {
                log.info("The authorization token was successfully validated.");
                SecurityContextHolder.getContext().setAuthentication(auth);
                request.setAttribute("token", auth.getDetails());
            }, () -> log.warn("The request did not contain a valid authorization token."));
        } catch (ExpiredJwtException expiredJwtException)
        {
            log.warn("An incoming request had an expired token.");
            throw new ResponseStatusException(HttpStatus.UNAUTHORIZED, "The token is expired");
        }
        filterChain.doFilter(request, response);
    }
}

@Slf4j @Order(1) @AllArgsConstructor @Getter(AccessLevel.PROTECTED)
public class JwtAuthorizationFilter extends OncePerRequestFilter
{
    private final UserService userService;

    @Override protected void doFilterInternal(@NotNull HttpServletRequest request,@NotNull HttpServletResponse response, @NotNull FilterChain filterChain) throws ServletException, IOException
    {
        try
        {
            // first check header then cookies
            String token = checkHeader(request).or(() -> checkCookies(request)).orElse("");
            getUserService().validate(token).ifPresentOrElse((auth) ->
            {
                log.info("The authorization token was successfully validated.");
                SecurityContextHolder.getContext().setAuthentication(auth);
                request.setAttribute("token", auth.getDetails());
            }, () -> log.warn("The request did not contain a valid authorization token."));
        } catch (ExpiredJwtException expiredJwtException)
        {
            log.warn("An incoming request had an expired token.");
            throw new ResponseStatusException(HttpStatus.UNAUTHORIZED, "The token is expired");
        }
        filterChain.doFilter(request, response);
    }
}

this is my only filter, but the problem still occurres when bypassing it

dan1st•4w ago

Can you enable DEBUG or TRACE logging for Spring Security and show these logs when making the request?

dan1st•4w ago

https://stackoverflow.com/q/30855252/10871900

Stack Overflow

How do I enable logging for Spring Security?

I am setting up Spring Security to handle logging users in. I have logged in as a user, and am taken to an Access Denied error page upon successful login. I don't know what roles my user has actually

GroldiOP•4w ago

Sure, will do when home, thanks for your time however.

2025-01-02T20:03:45.431+01:00 DEBUG 74926 --- [nio-8080-exec-1] o.s.s.w.a.AnonymousAuthenticationFilter  : Set SecurityContextHolder to anonymous SecurityContext
2025-01-02T20:03:45.432+01:00 DEBUG 74926 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy        : Secured POST /api/v1/user/login
2025-01-02T20:03:45.478+01:00 DEBUG 74926 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy        : Securing POST /error
2025-01-02T20:03:45.479+01:00 DEBUG 74926 --- [nio-8080-exec-1] o.s.s.w.a.AnonymousAuthenticationFilter  : Set SecurityContextHolder to anonymous SecurityContext
2025-01-02T20:03:45.481+01:00 DEBUG 74926 --- [nio-8080-exec-1] o.s.s.w.a.Http403ForbiddenEntryPoint     : Pre-authenticated entry point called. Rejecting access

2025-01-02T20:03:45.431+01:00 DEBUG 74926 --- [nio-8080-exec-1] o.s.s.w.a.AnonymousAuthenticationFilter  : Set SecurityContextHolder to anonymous SecurityContext
2025-01-02T20:03:45.432+01:00 DEBUG 74926 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy        : Secured POST /api/v1/user/login
2025-01-02T20:03:45.478+01:00 DEBUG 74926 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy        : Securing POST /error
2025-01-02T20:03:45.479+01:00 DEBUG 74926 --- [nio-8080-exec-1] o.s.s.w.a.AnonymousAuthenticationFilter  : Set SecurityContextHolder to anonymous SecurityContext
2025-01-02T20:03:45.481+01:00 DEBUG 74926 --- [nio-8080-exec-1] o.s.s.w.a.Http403ForbiddenEntryPoint     : Pre-authenticated entry point called. Rejecting access

dan1st•4w ago

What was there before? How are you adding the filter?

GroldiOP•4w ago

I'll send you the whole log in 5 minutes, currently I needed to switch to another branch and demonstrate something

GroldiOP•4w ago

https://gist.github.com/Plugrol/3e2f8e0055da8565e5eaecbc7b23da6a

Gist

spring log

spring log. GitHub Gist: instantly share code, notes, and snippets.

GroldiOP•4w ago

Security Config: https://gist.github.com/Plugrol/4c53c6af719e4d011034769632566996

Gist

SecurityConfig.java

GitHub Gist: instantly share code, notes, and snippets.

GroldiOP•4w ago

Okay, I've been looking at the logs and they tell me, that the request is forwared to the /error endpoint. However, this endpoint is secured by .authentificated(). Therefore it fails with a 403. By enabling debug you lead me to the right choice. Thanks for your time!

JavaBot•4w ago

If you are finished with your post, please close it. If you are not, please ignore this message. Note that you will not be able to send further messages here after this post have been closed but you will be able to create new posts.

JavaBot•4w ago

Post Closed

This post has been closed by <@464005014696886284>.

Gaming

Programming

Spring Boot Security Hell

Did you find this page helpful?