Groldi
Groldi
PostsComments
JCHJava Community | Help. Code. Learn.
Created by Groldi on 1/2/2025 in #java-help
Spring Boot Security Hell
Currently I am building some web app. The problem is that I have a login method dedicated for anyone to use: 
@PostMapping("/login")
public @NotNull ResponseEntity<@Nullable String> requestNormalLogin(@NotNull @RequestBody UserLoginModel model)
{
    throw new ResponseStatusException(HttpStatus.FAILED_DEPENDENCY);
    /*log.info("The server has recognized an incoming normal login request login name {}.", model.loginName());
    return getService().requestLogin(model).map((token) ->
    {
        String jwt = token.jwt();
        return ResponseEntity.ok(jwt);
    }).orElseThrow(this::unauthorizedThrowable);*/
}
@PostMapping("/login")
public @NotNull ResponseEntity<@Nullable String> requestNormalLogin(@NotNull @RequestBody UserLoginModel model)
{
    throw new ResponseStatusException(HttpStatus.FAILED_DEPENDENCY);
    /*log.info("The server has recognized an incoming normal login request login name {}.", model.loginName());
    return getService().requestLogin(model).map((token) ->
    {
        String jwt = token.jwt();
        return ResponseEntity.ok(jwt);
    }).orElseThrow(this::unauthorizedThrowable);*/
}
As it can be seen I've directly told it to throw FAILED_DEPENDENCY (just as a test), because my security config: 
csrf.addFilterBefore(jwtFilter, clazz).authorizeHttpRequests(auth ->
{
    auth.requestMatchers(HttpMethod.POST, "/api/v1/user/login").anonymous();
    auth.requestMatchers(HttpMethod.GET,"/api/v1/user/logout").permitAll();
    auth.anyRequest().authenticated();
});
csrf.addFilterBefore(jwtFilter, clazz).authorizeHttpRequests(auth ->
{
    auth.requestMatchers(HttpMethod.POST, "/api/v1/user/login").anonymous();
    auth.requestMatchers(HttpMethod.GET,"/api/v1/user/logout").permitAll();
    auth.anyRequest().authenticated();
});
always makes it return 403 when an exception occurred. No matter what exception is thrown, it answers with a 403 when using the endpoint "/api/v1/user/login". When no error is thrown it works, so I don't know what is going on...
22 replies
JCHJava Community | Help. Code. Learn.
Created by Groldi on 5/28/2024 in #java-help
HttpOnly Cookie not sent
Hello, why isn't my HTTP-only cookie being transmitted with the subsequent request? Disregard code quality as this is solely for testing purposes. Additional details can be found within the chat.
7 replies