Groldi
Groldi
PostsComments
JCHJava Community | Help. Code. Learn.
Created by Groldi on 1/2/2025 in #java-help
Spring Boot Security Hell
Okay, I've been looking at the logs and they tell me, that the request is forwared to the /error endpoint. However, this endpoint is secured by .authentificated(). Therefore it fails with a 403. By enabling debug you lead me to the right choice. Thanks for your time!
22 replies
JCHJava Community | Help. Code. Learn.
Created by Groldi on 1/2/2025 in #java-help
Spring Boot Security Hell
Security Config: https://gist.github.com/Plugrol/4c53c6af719e4d011034769632566996
22 replies
JCHJava Community | Help. Code. Learn.
Created by Groldi on 1/2/2025 in #java-help
Spring Boot Security Hell
https://gist.github.com/Plugrol/3e2f8e0055da8565e5eaecbc7b23da6a
22 replies
JCHJava Community | Help. Code. Learn.
Created by Groldi on 1/2/2025 in #java-help
Spring Boot Security Hell
I'll send you the whole log in 5 minutes, currently I needed to switch to another branch and demonstrate something
22 replies
JCHJava Community | Help. Code. Learn.
Created by Groldi on 1/2/2025 in #java-help
Spring Boot Security Hell
2025-01-02T20:03:45.431+01:00 DEBUG 74926 --- [nio-8080-exec-1] o.s.s.w.a.AnonymousAuthenticationFilter  : Set SecurityContextHolder to anonymous SecurityContext
2025-01-02T20:03:45.432+01:00 DEBUG 74926 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy        : Secured POST /api/v1/user/login
2025-01-02T20:03:45.478+01:00 DEBUG 74926 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy        : Securing POST /error
2025-01-02T20:03:45.479+01:00 DEBUG 74926 --- [nio-8080-exec-1] o.s.s.w.a.AnonymousAuthenticationFilter  : Set SecurityContextHolder to anonymous SecurityContext
2025-01-02T20:03:45.481+01:00 DEBUG 74926 --- [nio-8080-exec-1] o.s.s.w.a.Http403ForbiddenEntryPoint     : Pre-authenticated entry point called. Rejecting access
2025-01-02T20:03:45.431+01:00 DEBUG 74926 --- [nio-8080-exec-1] o.s.s.w.a.AnonymousAuthenticationFilter  : Set SecurityContextHolder to anonymous SecurityContext
2025-01-02T20:03:45.432+01:00 DEBUG 74926 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy        : Secured POST /api/v1/user/login
2025-01-02T20:03:45.478+01:00 DEBUG 74926 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy        : Securing POST /error
2025-01-02T20:03:45.479+01:00 DEBUG 74926 --- [nio-8080-exec-1] o.s.s.w.a.AnonymousAuthenticationFilter  : Set SecurityContextHolder to anonymous SecurityContext
2025-01-02T20:03:45.481+01:00 DEBUG 74926 --- [nio-8080-exec-1] o.s.s.w.a.Http403ForbiddenEntryPoint     : Pre-authenticated entry point called. Rejecting access
22 replies
JCHJava Community | Help. Code. Learn.
Created by Groldi on 1/2/2025 in #java-help
Spring Boot Security Hell
Sure, will do when home, thanks for your time however.
22 replies
JCHJava Community | Help. Code. Learn.
Created by Groldi on 1/2/2025 in #java-help
Spring Boot Security Hell
this is my only filter, but the problem still occurres when bypassing it
22 replies
JCHJava Community | Help. Code. Learn.
Created by Groldi on 1/2/2025 in #java-help
Spring Boot Security Hell
@Slf4j @Order(1) @AllArgsConstructor @Getter(AccessLevel.PROTECTED)
public class JwtAuthorizationFilter extends OncePerRequestFilter
{
    private final UserService userService;

    @Override protected void doFilterInternal(@NotNull HttpServletRequest request,@NotNull HttpServletResponse response, @NotNull FilterChain filterChain) throws ServletException, IOException
    {
        try
        {
            // first check header then cookies
            String token = checkHeader(request).or(() -> checkCookies(request)).orElse("");
            getUserService().validate(token).ifPresentOrElse((auth) ->
            {
                log.info("The authorization token was successfully validated.");
                SecurityContextHolder.getContext().setAuthentication(auth);
                request.setAttribute("token", auth.getDetails());
            }, () -> log.warn("The request did not contain a valid authorization token."));
        } catch (ExpiredJwtException expiredJwtException)
        {
            log.warn("An incoming request had an expired token.");
            throw new ResponseStatusException(HttpStatus.UNAUTHORIZED, "The token is expired");
        }
        filterChain.doFilter(request, response);
    }
}
@Slf4j @Order(1) @AllArgsConstructor @Getter(AccessLevel.PROTECTED)
public class JwtAuthorizationFilter extends OncePerRequestFilter
{
    private final UserService userService;

    @Override protected void doFilterInternal(@NotNull HttpServletRequest request,@NotNull HttpServletResponse response, @NotNull FilterChain filterChain) throws ServletException, IOException
    {
        try
        {
            // first check header then cookies
            String token = checkHeader(request).or(() -> checkCookies(request)).orElse("");
            getUserService().validate(token).ifPresentOrElse((auth) ->
            {
                log.info("The authorization token was successfully validated.");
                SecurityContextHolder.getContext().setAuthentication(auth);
                request.setAttribute("token", auth.getDetails());
            }, () -> log.warn("The request did not contain a valid authorization token."));
        } catch (ExpiredJwtException expiredJwtException)
        {
            log.warn("An incoming request had an expired token.");
            throw new ResponseStatusException(HttpStatus.UNAUTHORIZED, "The token is expired");
        }
        filterChain.doFilter(request, response);
    }
}
22 replies
JCHJava Community | Help. Code. Learn.
Created by Groldi on 1/2/2025 in #java-help
Spring Boot Security Hell
Wait
22 replies
JCHJava Community | Help. Code. Learn.
Created by Groldi on 1/2/2025 in #java-help
Spring Boot Security Hell
I do not
22 replies
JCHJava Community | Help. Code. Learn.
Created by Groldi on 5/28/2024 in #java-help
HttpOnly Cookie not sent
No description
7 replies
JCHJava Community | Help. Code. Learn.
Created by Groldi on 5/28/2024 in #java-help
HttpOnly Cookie not sent
The second request does not include the cookie received from the first request. Does anybody know why?
7 replies
JCHJava Community | Help. Code. Learn.
Created by Groldi on 5/28/2024 in #java-help
HttpOnly Cookie not sent
@Override
public void addCorsMappings(@NotNull CorsRegistry registry)
{
    registry.addMapping("/**")
            .allowedOriginPatterns("*")
            .allowedOrigins("http://localhost:4200/")
            .allowCredentials(true)
            .exposedHeaders(HttpHeaders.SET_COOKIE)
            .allowedMethods("GET", "POST", "PUT", "DELETE")
            .maxAge(3600);
}
@Override
public void addCorsMappings(@NotNull CorsRegistry registry)
{
    registry.addMapping("/**")
            .allowedOriginPatterns("*")
            .allowedOrigins("http://localhost:4200/")
            .allowCredentials(true)
            .exposedHeaders(HttpHeaders.SET_COOKIE)
            .allowedMethods("GET", "POST", "PUT", "DELETE")
            .maxAge(3600);
}
@PostMapping("/login")
public @NotNull ResponseEntity<@Nullable String> loginUser(@NotNull @RequestBody UserLoginModel loginModel, HttpServletResponse response)
{
    return login(loginModel).map(token ->
    {
        Cookie cookie = new Cookie("jwtToken", token);
        cookie.setHttpOnly(true);
        cookie.setSecure(false);
        cookie.setPath("/");
        cookie.setDomain("localhost");
        cookie.setMaxAge(loginModel.keepLoggedIn() ? (14 * 24 * 60 * 60) : (24 * 60 * 60)); // 2 Weeks or 1 day
        response.addCookie(cookie);
        return ResponseEntity.ok(token);
    }).orElseThrow(this::unauthorizedThrowable);
}
@PostMapping("/login")
public @NotNull ResponseEntity<@Nullable String> loginUser(@NotNull @RequestBody UserLoginModel loginModel, HttpServletResponse response)
{
    return login(loginModel).map(token ->
    {
        Cookie cookie = new Cookie("jwtToken", token);
        cookie.setHttpOnly(true);
        cookie.setSecure(false);
        cookie.setPath("/");
        cookie.setDomain("localhost");
        cookie.setMaxAge(loginModel.keepLoggedIn() ? (14 * 24 * 60 * 60) : (24 * 60 * 60)); // 2 Weeks or 1 day
        response.addCookie(cookie);
        return ResponseEntity.ok(token);
    }).orElseThrow(this::unauthorizedThrowable);
}
login(data: LoginRequest)
{
    this.loginRequest(data).subscribe({
        next: () => {
            console.log('Login successful');
            this.requestData().subscribe({
                next: (data) => {
                    console.log('Data ', data);
                },
                error: (error) => {
                    console.error('Failed to retrieve data: :', error);
                }
            })
        },
        error: (error) => {
            console.error('Login failed:', error);
        }
    });
}

private requestData(): Observable<any> {
    return this.http.get<any>("http://localhost:8080/user/get", { withCredentials: true });
}

private loginRequest(data: LoginRequest): Observable<void> {
    return this.http.post<void>("http://localhost:8080/user/login", data, {responseType: "text" as "json"});
}
login(data: LoginRequest)
{
    this.loginRequest(data).subscribe({
        next: () => {
            console.log('Login successful');
            this.requestData().subscribe({
                next: (data) => {
                    console.log('Data ', data);
                },
                error: (error) => {
                    console.error('Failed to retrieve data: :', error);
                }
            })
        },
        error: (error) => {
            console.error('Login failed:', error);
        }
    });
}

private requestData(): Observable<any> {
    return this.http.get<any>("http://localhost:8080/user/get", { withCredentials: true });
}

private loginRequest(data: LoginRequest): Observable<void> {
    return this.http.post<void>("http://localhost:8080/user/login", data, {responseType: "text" as "json"});
}
7 replies