Spring Security HTTP 403 Forbidden











up vote
0
down vote

favorite












I've been trying to secure a rest-api resource. However, it seems that the /auth/** REST-API always throws 403 Forbidden even though i have permitted it on the configuration. see below 



@Override

protected void configure(HttpSecurity http) throws Exception {

    logger.info("Setting Endpoint Security.");



    http

        .authorizeRequests()

        .antMatchers("/auth/**").permitAll()

        .anyRequest().authenticated()

        .and()

        .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)

        .and()

        .csrf().disable();



}


This is on the WebSecurityConfigclass extending WebSecurityConfigurerAdapter



Here is the spring security debug logs



2018-11-18 20:14:27.923  INFO 8476 --- [nio-8080-exec-1] Spring Security Debugger                 : 



************************************************************



Request received for POST '/api/v1/auth/login':



org.apache.catalina.connector.RequestFacade@1a183946



servletPath:/api/v1

pathInfo:/auth/login

headers: 

content-type: application/x-www-form-urlencoded

cache-control: no-cache

postman-token: 5bd56859-b8e9-4ebf-977c-452f1bce837e

user-agent: PostmanRuntime/7.4.0

accept: */*

host: localhost:8080

cookie: JSESSIONID=D80F964AA5B53DC7F20ACF59606FA719

accept-encoding: gzip, deflate

content-length: 29

connection: keep-alive





Security filter chain: [

  WebAsyncManagerIntegrationFilter

  SecurityContextPersistenceFilter

  HeaderWriterFilter

  LogoutFilter

  RequestCacheAwareFilter

  SecurityContextHolderAwareRequestFilter

  AnonymousAuthenticationFilter

  SessionManagementFilter

  ExceptionTranslationFilter

  FilterSecurityInterceptor

]





************************************************************


and here is the resource i am trying to access



@Path("/auth")

@Component

public class Auth {



    private static final Logger logger = LoggerFactory.getLogger(Auth.class);



    @POST

    @Path("/login")

    @Consumes(MediaType.APPLICATION_FORM_URLENCODED)

    public Response login(@FormParam("username") String user, 

                          @FormParam("password") String pass) {

        logger.info("Form-data [username] {}",user);

        logger.info("Form-data [password] {}",pass);

        return Response.ok().build();

    }



    @POST

    @Path("/logout")

    @Produces({ MediaType.APPLICATION_JSON })

    public String logout() {

        return "Login!";

    } 



}


Just so we are clear, i am using Jersey + Spring Boot



Here is Jersey Config 



@Configuration

@ApplicationPath("api/v1")

public class JerseyConfig extends ResourceConfig{

    public JerseyConfig() {



    }



    @PostConstruct

    public void setUp() {

        register(Wish.class);

        register(Auth.class);

        register(User.class);

        register(GenericExceptionMapper.class);

    }

}


Now, as what i understand on the http method series in configuremethod.



First, http auhthorizes request, matches /auth/** and permits it, other requests needs to be authorized. However, when i try requesting http://localhost:8080/api/v1/auth/login it always returns 403 Forbidden.



Can somebody point out the mistakes or maybe my understanding is not correct.






spring rest jersey spring-security-rest







share|improve this question




























    up vote
    0
    down vote

    favorite












    I've been trying to secure a rest-api resource. However, it seems that the /auth/** REST-API always throws 403 Forbidden even though i have permitted it on the configuration. see below 



    @Override
    
protected void configure(HttpSecurity http) throws Exception {
    
    logger.info("Setting Endpoint Security.");
    

    
    http
    
        .authorizeRequests()
    
        .antMatchers("/auth/**").permitAll()
    
        .anyRequest().authenticated()
    
        .and()
    
        .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
    
        .and()
    
        .csrf().disable();
    

    
}


    This is on the WebSecurityConfigclass extending WebSecurityConfigurerAdapter



    Here is the spring security debug logs



    2018-11-18 20:14:27.923  INFO 8476 --- [nio-8080-exec-1] Spring Security Debugger                 : 
    

    
************************************************************
    

    
Request received for POST '/api/v1/auth/login':
    

    
org.apache.catalina.connector.RequestFacade@1a183946
    

    
servletPath:/api/v1
    
pathInfo:/auth/login
    
headers: 
    
content-type: application/x-www-form-urlencoded
    
cache-control: no-cache
    
postman-token: 5bd56859-b8e9-4ebf-977c-452f1bce837e
    
user-agent: PostmanRuntime/7.4.0
    
accept: */*
    
host: localhost:8080
    
cookie: JSESSIONID=D80F964AA5B53DC7F20ACF59606FA719
    
accept-encoding: gzip, deflate
    
content-length: 29
    
connection: keep-alive
    

    

    
Security filter chain: [
    
  WebAsyncManagerIntegrationFilter
    
  SecurityContextPersistenceFilter
    
  HeaderWriterFilter
    
  LogoutFilter
    
  RequestCacheAwareFilter
    
  SecurityContextHolderAwareRequestFilter
    
  AnonymousAuthenticationFilter
    
  SessionManagementFilter
    
  ExceptionTranslationFilter
    
  FilterSecurityInterceptor
    
]
    

    

    
************************************************************


    and here is the resource i am trying to access



    @Path("/auth")
    
@Component
    
public class Auth {
    

    
    private static final Logger logger = LoggerFactory.getLogger(Auth.class);
    

    
    @POST
    
    @Path("/login")
    
    @Consumes(MediaType.APPLICATION_FORM_URLENCODED)
    
    public Response login(@FormParam("username") String user, 
    
                          @FormParam("password") String pass) {
    
        logger.info("Form-data [username] {}",user);
    
        logger.info("Form-data [password] {}",pass);
    
        return Response.ok().build();
    
    }
    

    
    @POST
    
    @Path("/logout")
    
    @Produces({ MediaType.APPLICATION_JSON })
    
    public String logout() {
    
        return "Login!";
    
    } 
    

    
}


    Just so we are clear, i am using Jersey + Spring Boot



    Here is Jersey Config 



    @Configuration
    
@ApplicationPath("api/v1")
    
public class JerseyConfig extends ResourceConfig{
    
    public JerseyConfig() {
    

    
    }
    

    
    @PostConstruct
    
    public void setUp() {
    
        register(Wish.class);
    
        register(Auth.class);
    
        register(User.class);
    
        register(GenericExceptionMapper.class);
    
    }
    
}


    Now, as what i understand on the http method series in configuremethod.



    First, http auhthorizes request, matches /auth/** and permits it, other requests needs to be authorized. However, when i try requesting http://localhost:8080/api/v1/auth/login it always returns 403 Forbidden.



    Can somebody point out the mistakes or maybe my understanding is not correct.






    spring rest jersey spring-security-rest







    share|improve this question


























      up vote
      0
      down vote

      favorite









      up vote
      0
      down vote

      favorite











      I've been trying to secure a rest-api resource. However, it seems that the /auth/** REST-API always throws 403 Forbidden even though i have permitted it on the configuration. see below 



      @Override
      
protected void configure(HttpSecurity http) throws Exception {
      
    logger.info("Setting Endpoint Security.");
      

      
    http
      
        .authorizeRequests()
      
        .antMatchers("/auth/**").permitAll()
      
        .anyRequest().authenticated()
      
        .and()
      
        .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
      
        .and()
      
        .csrf().disable();
      

      
}


      This is on the WebSecurityConfigclass extending WebSecurityConfigurerAdapter



      Here is the spring security debug logs



      2018-11-18 20:14:27.923  INFO 8476 --- [nio-8080-exec-1] Spring Security Debugger                 : 
      

      
************************************************************
      

      
Request received for POST '/api/v1/auth/login':
      

      
org.apache.catalina.connector.RequestFacade@1a183946
      

      
servletPath:/api/v1
      
pathInfo:/auth/login
      
headers: 
      
content-type: application/x-www-form-urlencoded
      
cache-control: no-cache
      
postman-token: 5bd56859-b8e9-4ebf-977c-452f1bce837e
      
user-agent: PostmanRuntime/7.4.0
      
accept: */*
      
host: localhost:8080
      
cookie: JSESSIONID=D80F964AA5B53DC7F20ACF59606FA719
      
accept-encoding: gzip, deflate
      
content-length: 29
      
connection: keep-alive
      

      

      
Security filter chain: [
      
  WebAsyncManagerIntegrationFilter
      
  SecurityContextPersistenceFilter
      
  HeaderWriterFilter
      
  LogoutFilter
      
  RequestCacheAwareFilter
      
  SecurityContextHolderAwareRequestFilter
      
  AnonymousAuthenticationFilter
      
  SessionManagementFilter
      
  ExceptionTranslationFilter
      
  FilterSecurityInterceptor
      
]
      

      

      
************************************************************


      and here is the resource i am trying to access



      @Path("/auth")
      
@Component
      
public class Auth {
      

      
    private static final Logger logger = LoggerFactory.getLogger(Auth.class);
      

      
    @POST
      
    @Path("/login")
      
    @Consumes(MediaType.APPLICATION_FORM_URLENCODED)
      
    public Response login(@FormParam("username") String user, 
      
                          @FormParam("password") String pass) {
      
        logger.info("Form-data [username] {}",user);
      
        logger.info("Form-data [password] {}",pass);
      
        return Response.ok().build();
      
    }
      

      
    @POST
      
    @Path("/logout")
      
    @Produces({ MediaType.APPLICATION_JSON })
      
    public String logout() {
      
        return "Login!";
      
    } 
      

      
}


      Just so we are clear, i am using Jersey + Spring Boot



      Here is Jersey Config 



      @Configuration
      
@ApplicationPath("api/v1")
      
public class JerseyConfig extends ResourceConfig{
      
    public JerseyConfig() {
      

      
    }
      

      
    @PostConstruct
      
    public void setUp() {
      
        register(Wish.class);
      
        register(Auth.class);
      
        register(User.class);
      
        register(GenericExceptionMapper.class);
      
    }
      
}


      Now, as what i understand on the http method series in configuremethod.



      First, http auhthorizes request, matches /auth/** and permits it, other requests needs to be authorized. However, when i try requesting http://localhost:8080/api/v1/auth/login it always returns 403 Forbidden.



      Can somebody point out the mistakes or maybe my understanding is not correct.






      spring rest jersey spring-security-rest







      share|improve this question















      I've been trying to secure a rest-api resource. However, it seems that the /auth/** REST-API always throws 403 Forbidden even though i have permitted it on the configuration. see below 



      @Override
      
protected void configure(HttpSecurity http) throws Exception {
      
    logger.info("Setting Endpoint Security.");
      

      
    http
      
        .authorizeRequests()
      
        .antMatchers("/auth/**").permitAll()
      
        .anyRequest().authenticated()
      
        .and()
      
        .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
      
        .and()
      
        .csrf().disable();
      

      
}


      This is on the WebSecurityConfigclass extending WebSecurityConfigurerAdapter



      Here is the spring security debug logs



      2018-11-18 20:14:27.923  INFO 8476 --- [nio-8080-exec-1] Spring Security Debugger                 : 
      

      
************************************************************
      

      
Request received for POST '/api/v1/auth/login':
      

      
org.apache.catalina.connector.RequestFacade@1a183946
      

      
servletPath:/api/v1
      
pathInfo:/auth/login
      
headers: 
      
content-type: application/x-www-form-urlencoded
      
cache-control: no-cache
      
postman-token: 5bd56859-b8e9-4ebf-977c-452f1bce837e
      
user-agent: PostmanRuntime/7.4.0
      
accept: */*
      
host: localhost:8080
      
cookie: JSESSIONID=D80F964AA5B53DC7F20ACF59606FA719
      
accept-encoding: gzip, deflate
      
content-length: 29
      
connection: keep-alive
      

      

      
Security filter chain: [
      
  WebAsyncManagerIntegrationFilter
      
  SecurityContextPersistenceFilter
      
  HeaderWriterFilter
      
  LogoutFilter
      
  RequestCacheAwareFilter
      
  SecurityContextHolderAwareRequestFilter
      
  AnonymousAuthenticationFilter
      
  SessionManagementFilter
      
  ExceptionTranslationFilter
      
  FilterSecurityInterceptor
      
]
      

      

      
************************************************************


      and here is the resource i am trying to access



      @Path("/auth")
      
@Component
      
public class Auth {
      

      
    private static final Logger logger = LoggerFactory.getLogger(Auth.class);
      

      
    @POST
      
    @Path("/login")
      
    @Consumes(MediaType.APPLICATION_FORM_URLENCODED)
      
    public Response login(@FormParam("username") String user, 
      
                          @FormParam("password") String pass) {
      
        logger.info("Form-data [username] {}",user);
      
        logger.info("Form-data [password] {}",pass);
      
        return Response.ok().build();
      
    }
      

      
    @POST
      
    @Path("/logout")
      
    @Produces({ MediaType.APPLICATION_JSON })
      
    public String logout() {
      
        return "Login!";
      
    } 
      

      
}


      Just so we are clear, i am using Jersey + Spring Boot



      Here is Jersey Config 



      @Configuration
      
@ApplicationPath("api/v1")
      
public class JerseyConfig extends ResourceConfig{
      
    public JerseyConfig() {
      

      
    }
      

      
    @PostConstruct
      
    public void setUp() {
      
        register(Wish.class);
      
        register(Auth.class);
      
        register(User.class);
      
        register(GenericExceptionMapper.class);
      
    }
      
}


      Now, as what i understand on the http method series in configuremethod.



      First, http auhthorizes request, matches /auth/** and permits it, other requests needs to be authorized. However, when i try requesting http://localhost:8080/api/v1/auth/login it always returns 403 Forbidden.



      Can somebody point out the mistakes or maybe my understanding is not correct.






      spring rest jersey spring-security-rest




      spring rest jersey spring-security-rest






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Nov 18 at 12:16

























      asked Nov 18 at 12:08









      lemoncodes

      96582539




      96582539
























          1 Answer
          1






          active

          oldest

          votes

















          up vote
          2
          down vote



          accepted










          your configuration only permit http://localhost:8080/auth/** not http://localhost:8080/api/v1/auth/**,



          so change it to something like:



          .antMatchers("/api/v1/auth/**").permitAll()


          it should be the first one in the order






          share|improve this answer





















          • still the same, both /api/v1/auth/** and **/auth/** does not work
            – lemoncodes
            Nov 18 at 12:24










          • sorry scratch that, didn't notice i lack v1 i used /api/v/auth/** only. Why does **/auth/** dont work?
            – lemoncodes
            Nov 18 at 12:27













          Your Answer






          StackExchange.ifUsing("editor", function () {
          StackExchange.using("externalEditor", function () {
          StackExchange.using("snippets", function () {
          StackExchange.snippets.init();
          });
          });
          }, "code-snippets");

          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "1"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














           

          draft saved


          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53360694%2fspring-security-http-403-forbidden%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes








          up vote
          2
          down vote



          accepted










          your configuration only permit http://localhost:8080/auth/** not http://localhost:8080/api/v1/auth/**,



          so change it to something like:



          .antMatchers("/api/v1/auth/**").permitAll()


          it should be the first one in the order






          share|improve this answer





















          • still the same, both /api/v1/auth/** and **/auth/** does not work
            – lemoncodes
            Nov 18 at 12:24










          • sorry scratch that, didn't notice i lack v1 i used /api/v/auth/** only. Why does **/auth/** dont work?
            – lemoncodes
            Nov 18 at 12:27

















          up vote
          2
          down vote



          accepted










          your configuration only permit http://localhost:8080/auth/** not http://localhost:8080/api/v1/auth/**,



          so change it to something like:



          .antMatchers("/api/v1/auth/**").permitAll()


          it should be the first one in the order






          share|improve this answer





















          • still the same, both /api/v1/auth/** and **/auth/** does not work
            – lemoncodes
            Nov 18 at 12:24










          • sorry scratch that, didn't notice i lack v1 i used /api/v/auth/** only. Why does **/auth/** dont work?
            – lemoncodes
            Nov 18 at 12:27















          up vote
          2
          down vote



          accepted







          up vote
          2
          down vote



          accepted






          your configuration only permit http://localhost:8080/auth/** not http://localhost:8080/api/v1/auth/**,



          so change it to something like:



          .antMatchers("/api/v1/auth/**").permitAll()


          it should be the first one in the order






          share|improve this answer












          your configuration only permit http://localhost:8080/auth/** not http://localhost:8080/api/v1/auth/**,



          so change it to something like:



          .antMatchers("/api/v1/auth/**").permitAll()


          it should be the first one in the order







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Nov 18 at 12:22









          slimane

          3494




          3494












          • still the same, both /api/v1/auth/** and **/auth/** does not work
            – lemoncodes
            Nov 18 at 12:24










          • sorry scratch that, didn't notice i lack v1 i used /api/v/auth/** only. Why does **/auth/** dont work?
            – lemoncodes
            Nov 18 at 12:27




















          • still the same, both /api/v1/auth/** and **/auth/** does not work
            – lemoncodes
            Nov 18 at 12:24










          • sorry scratch that, didn't notice i lack v1 i used /api/v/auth/** only. Why does **/auth/** dont work?
            – lemoncodes
            Nov 18 at 12:27


















          still the same, both /api/v1/auth/** and **/auth/** does not work
          – lemoncodes
          Nov 18 at 12:24




          still the same, both /api/v1/auth/** and **/auth/** does not work
          – lemoncodes
          Nov 18 at 12:24












          sorry scratch that, didn't notice i lack v1 i used /api/v/auth/** only. Why does **/auth/** dont work?
          – lemoncodes
          Nov 18 at 12:27






          sorry scratch that, didn't notice i lack v1 i used /api/v/auth/** only. Why does **/auth/** dont work?
          – lemoncodes
          Nov 18 at 12:27




















           

          draft saved


          draft discarded



















































           


          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53360694%2fspring-security-http-403-forbidden%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          -

          Popular posts from this blog

          If I really need a card on my start hand, how many mulligans make sense? [duplicate]

          Image
          5 This question already has an answer here: How do you calculate the likelihood of drawing certain cards in your opening hand? 3 answers There is a funny modern deck where you play Treasure Hunt, but you really need to have it on the starting hand. How many mulligans should I take, if my deck contains 60 cards and contains 4 copies of Treasure Hunt? magic-the-gathering probability share | improve this question asked Nov 23 '18 at 12:12 dan dan 152 4
          Read more

          Alcedinidae

          Image
          Alcedinidae Martin-pêcheur à dos bleu ( Alcedo azurea ) Classification (COI) Règne Animalia Embranchement Chordata Sous-embr. Vertebrata Classe Aves Ordre Coraciiformes Famille Alcedinidae Rafinesque, 1815 Les Alcédinidés ou Alcedinidae forment une famille d'oiseaux plus connus sous les noms de martins-pêcheurs et martins-chasseurs. Sommaire 1 Description 2 Répartition et habitat 3 Systématique 3.1 Liste alphabétique des genres 3.2 Liste des espèces 4 Chez les Anciens : l'alcyon 4.1 Étymologie (Littré) 4.2 Oiseau « fabuleux » ? 5 Notes 6 Articles connexes 7 Liens externes 7.1 Bibliographie Description | Ce sont des oiseaux compacts de taille petite à moyenne (10 à 46 cm), au bec droit et long, en forme de poignard. Leurs pattes sont courtes, et ils portent un plumage aux couleurs vives. Répartition et habitat | Cosmopolites, ils fréquentent surtout
          Read more

          Can an atomic nucleus contain both particles and antiparticles? [duplicate]

          Image
          9 $begingroup$ This question already has an answer here: What happens if we put together a proton and an antineutron? 2 answers Is it theoretically possible to make a "deuterium" atom containing a proton and an antineutron in its nucleus? Would the strong nuclear force cause attraction between a proton and an antineutron? Would such a nucleus be stable, or would the proton somehow annihilate the antineutron when close enough? nuclear-physics antimatter share | cite | improve this question asked yesterday
          Read more