Spring Security HTTP 403 Forbidden
up vote
0
down vote
favorite
I've been trying to secure a rest-api resource. However, it seems that the /auth/** REST-API always throws 403 Forbidden even though i have permitted it on the configuration. see below
@Override
protected void configure(HttpSecurity http) throws Exception {
logger.info("Setting Endpoint Security.");
http
.authorizeRequests()
.antMatchers("/auth/**").permitAll()
.anyRequest().authenticated()
.and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.csrf().disable();
}
This is on the WebSecurityConfigclass extending WebSecurityConfigurerAdapter
Here is the spring security debug logs
2018-11-18 20:14:27.923 INFO 8476 --- [nio-8080-exec-1] Spring Security Debugger :
************************************************************
Request received for POST '/api/v1/auth/login':
org.apache.catalina.connector.RequestFacade@1a183946
servletPath:/api/v1
pathInfo:/auth/login
headers:
content-type: application/x-www-form-urlencoded
cache-control: no-cache
postman-token: 5bd56859-b8e9-4ebf-977c-452f1bce837e
user-agent: PostmanRuntime/7.4.0
accept: */*
host: localhost:8080
cookie: JSESSIONID=D80F964AA5B53DC7F20ACF59606FA719
accept-encoding: gzip, deflate
content-length: 29
connection: keep-alive
Security filter chain: [
WebAsyncManagerIntegrationFilter
SecurityContextPersistenceFilter
HeaderWriterFilter
LogoutFilter
RequestCacheAwareFilter
SecurityContextHolderAwareRequestFilter
AnonymousAuthenticationFilter
SessionManagementFilter
ExceptionTranslationFilter
FilterSecurityInterceptor
]
************************************************************
and here is the resource i am trying to access
@Path("/auth")
@Component
public class Auth {
private static final Logger logger = LoggerFactory.getLogger(Auth.class);
@POST
@Path("/login")
@Consumes(MediaType.APPLICATION_FORM_URLENCODED)
public Response login(@FormParam("username") String user,
@FormParam("password") String pass) {
logger.info("Form-data [username] {}",user);
logger.info("Form-data [password] {}",pass);
return Response.ok().build();
}
@POST
@Path("/logout")
@Produces({ MediaType.APPLICATION_JSON })
public String logout() {
return "Login!";
}
}
Just so we are clear, i am using Jersey + Spring Boot
Here is Jersey Config
@Configuration
@ApplicationPath("api/v1")
public class JerseyConfig extends ResourceConfig{
public JerseyConfig() {
}
@PostConstruct
public void setUp() {
register(Wish.class);
register(Auth.class);
register(User.class);
register(GenericExceptionMapper.class);
}
}
Now, as what i understand on the http method series in configuremethod.
First, http auhthorizes request, matches /auth/** and permits it, other requests needs to be authorized. However, when i try requesting http://localhost:8080/api/v1/auth/login it always returns 403 Forbidden.
Can somebody point out the mistakes or maybe my understanding is not correct.
spring rest jersey spring-security-rest
asked Nov 18 at 12:08
lemoncodes
96582539
add a comment |
up vote
0
down vote
favorite
I've been trying to secure a rest-api resource. However, it seems that the /auth/** REST-API always throws 403 Forbidden even though i have permitted it on the configuration. see below
@Override
protected void configure(HttpSecurity http) throws Exception {
logger.info("Setting Endpoint Security.");
http
.authorizeRequests()
.antMatchers("/auth/**").permitAll()
.anyRequest().authenticated()
.and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.csrf().disable();
}
This is on the WebSecurityConfigclass extending WebSecurityConfigurerAdapter
Here is the spring security debug logs
2018-11-18 20:14:27.923 INFO 8476 --- [nio-8080-exec-1] Spring Security Debugger :
************************************************************
Request received for POST '/api/v1/auth/login':
org.apache.catalina.connector.RequestFacade@1a183946
servletPath:/api/v1
pathInfo:/auth/login
headers:
content-type: application/x-www-form-urlencoded
cache-control: no-cache
postman-token: 5bd56859-b8e9-4ebf-977c-452f1bce837e
user-agent: PostmanRuntime/7.4.0
accept: */*
host: localhost:8080
cookie: JSESSIONID=D80F964AA5B53DC7F20ACF59606FA719
accept-encoding: gzip, deflate
content-length: 29
connection: keep-alive
Security filter chain: [
WebAsyncManagerIntegrationFilter
SecurityContextPersistenceFilter
HeaderWriterFilter
LogoutFilter
RequestCacheAwareFilter
SecurityContextHolderAwareRequestFilter
AnonymousAuthenticationFilter
SessionManagementFilter
ExceptionTranslationFilter
FilterSecurityInterceptor
]
************************************************************
and here is the resource i am trying to access
@Path("/auth")
@Component
public class Auth {
private static final Logger logger = LoggerFactory.getLogger(Auth.class);
@POST
@Path("/login")
@Consumes(MediaType.APPLICATION_FORM_URLENCODED)
public Response login(@FormParam("username") String user,
@FormParam("password") String pass) {
logger.info("Form-data [username] {}",user);
logger.info("Form-data [password] {}",pass);
return Response.ok().build();
}
@POST
@Path("/logout")
@Produces({ MediaType.APPLICATION_JSON })
public String logout() {
return "Login!";
}
}
Just so we are clear, i am using Jersey + Spring Boot
Here is Jersey Config
@Configuration
@ApplicationPath("api/v1")
public class JerseyConfig extends ResourceConfig{
public JerseyConfig() {
}
@PostConstruct
public void setUp() {
register(Wish.class);
register(Auth.class);
register(User.class);
register(GenericExceptionMapper.class);
}
}
Now, as what i understand on the http method series in configuremethod.
First, http auhthorizes request, matches /auth/** and permits it, other requests needs to be authorized. However, when i try requesting http://localhost:8080/api/v1/auth/login it always returns 403 Forbidden.
Can somebody point out the mistakes or maybe my understanding is not correct.
spring rest jersey spring-security-rest
asked Nov 18 at 12:08
lemoncodes
96582539
add a comment |
up vote
0
down vote
favorite
up vote
0
down vote
favorite
I've been trying to secure a rest-api resource. However, it seems that the /auth/** REST-API always throws 403 Forbidden even though i have permitted it on the configuration. see below
@Override
protected void configure(HttpSecurity http) throws Exception {
logger.info("Setting Endpoint Security.");
http
.authorizeRequests()
.antMatchers("/auth/**").permitAll()
.anyRequest().authenticated()
.and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.csrf().disable();
}
This is on the WebSecurityConfigclass extending WebSecurityConfigurerAdapter
Here is the spring security debug logs
2018-11-18 20:14:27.923 INFO 8476 --- [nio-8080-exec-1] Spring Security Debugger :
************************************************************
Request received for POST '/api/v1/auth/login':
org.apache.catalina.connector.RequestFacade@1a183946
servletPath:/api/v1
pathInfo:/auth/login
headers:
content-type: application/x-www-form-urlencoded
cache-control: no-cache
postman-token: 5bd56859-b8e9-4ebf-977c-452f1bce837e
user-agent: PostmanRuntime/7.4.0
accept: */*
host: localhost:8080
cookie: JSESSIONID=D80F964AA5B53DC7F20ACF59606FA719
accept-encoding: gzip, deflate
content-length: 29
connection: keep-alive
Security filter chain: [
WebAsyncManagerIntegrationFilter
SecurityContextPersistenceFilter
HeaderWriterFilter
LogoutFilter
RequestCacheAwareFilter
SecurityContextHolderAwareRequestFilter
AnonymousAuthenticationFilter
SessionManagementFilter
ExceptionTranslationFilter
FilterSecurityInterceptor
]
************************************************************
and here is the resource i am trying to access
@Path("/auth")
@Component
public class Auth {
private static final Logger logger = LoggerFactory.getLogger(Auth.class);
@POST
@Path("/login")
@Consumes(MediaType.APPLICATION_FORM_URLENCODED)
public Response login(@FormParam("username") String user,
@FormParam("password") String pass) {
logger.info("Form-data [username] {}",user);
logger.info("Form-data [password] {}",pass);
return Response.ok().build();
}
@POST
@Path("/logout")
@Produces({ MediaType.APPLICATION_JSON })
public String logout() {
return "Login!";
}
}
Just so we are clear, i am using Jersey + Spring Boot
Here is Jersey Config
@Configuration
@ApplicationPath("api/v1")
public class JerseyConfig extends ResourceConfig{
public JerseyConfig() {
}
@PostConstruct
public void setUp() {
register(Wish.class);
register(Auth.class);
register(User.class);
register(GenericExceptionMapper.class);
}
}
Now, as what i understand on the http method series in configuremethod.
First, http auhthorizes request, matches /auth/** and permits it, other requests needs to be authorized. However, when i try requesting http://localhost:8080/api/v1/auth/login it always returns 403 Forbidden.
Can somebody point out the mistakes or maybe my understanding is not correct.
spring rest jersey spring-security-rest
asked Nov 18 at 12:08
lemoncodes
96582539
I've been trying to secure a rest-api resource. However, it seems that the /auth/** REST-API always throws 403 Forbidden even though i have permitted it on the configuration. see below
@Override
protected void configure(HttpSecurity http) throws Exception {
logger.info("Setting Endpoint Security.");
http
.authorizeRequests()
.antMatchers("/auth/**").permitAll()
.anyRequest().authenticated()
.and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.csrf().disable();
}
This is on the WebSecurityConfigclass extending WebSecurityConfigurerAdapter
Here is the spring security debug logs
2018-11-18 20:14:27.923 INFO 8476 --- [nio-8080-exec-1] Spring Security Debugger :
************************************************************
Request received for POST '/api/v1/auth/login':
org.apache.catalina.connector.RequestFacade@1a183946
servletPath:/api/v1
pathInfo:/auth/login
headers:
content-type: application/x-www-form-urlencoded
cache-control: no-cache
postman-token: 5bd56859-b8e9-4ebf-977c-452f1bce837e
user-agent: PostmanRuntime/7.4.0
accept: */*
host: localhost:8080
cookie: JSESSIONID=D80F964AA5B53DC7F20ACF59606FA719
accept-encoding: gzip, deflate
content-length: 29
connection: keep-alive
Security filter chain: [
WebAsyncManagerIntegrationFilter
SecurityContextPersistenceFilter
HeaderWriterFilter
LogoutFilter
RequestCacheAwareFilter
SecurityContextHolderAwareRequestFilter
AnonymousAuthenticationFilter
SessionManagementFilter
ExceptionTranslationFilter
FilterSecurityInterceptor
]
************************************************************
and here is the resource i am trying to access
@Path("/auth")
@Component
public class Auth {
private static final Logger logger = LoggerFactory.getLogger(Auth.class);
@POST
@Path("/login")
@Consumes(MediaType.APPLICATION_FORM_URLENCODED)
public Response login(@FormParam("username") String user,
@FormParam("password") String pass) {
logger.info("Form-data [username] {}",user);
logger.info("Form-data [password] {}",pass);
return Response.ok().build();
}
@POST
@Path("/logout")
@Produces({ MediaType.APPLICATION_JSON })
public String logout() {
return "Login!";
}
}
Just so we are clear, i am using Jersey + Spring Boot
Here is Jersey Config
@Configuration
@ApplicationPath("api/v1")
public class JerseyConfig extends ResourceConfig{
public JerseyConfig() {
}
@PostConstruct
public void setUp() {
register(Wish.class);
register(Auth.class);
register(User.class);
register(GenericExceptionMapper.class);
}
}
Now, as what i understand on the http method series in configuremethod.
First, http auhthorizes request, matches /auth/** and permits it, other requests needs to be authorized. However, when i try requesting http://localhost:8080/api/v1/auth/login it always returns 403 Forbidden.
Can somebody point out the mistakes or maybe my understanding is not correct.
spring rest jersey spring-security-rest
spring rest jersey spring-security-rest
asked Nov 18 at 12:08
lemoncodes
96582539
asked Nov 18 at 12:08
lemoncodes
96582539
edited Nov 18 at 12:16
asked Nov 18 at 12:08
lemoncodes
96582539
asked Nov 18 at 12:08
lemoncodes
96582539
asked Nov 18 at 12:08
lemoncodes
96582539
96582539
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
up vote
2
down vote
accepted
your configuration only permit http://localhost:8080/auth/** not http://localhost:8080/api/v1/auth/**,
so change it to something like:
.antMatchers("/api/v1/auth/**").permitAll()
it should be the first one in the order
answered Nov 18 at 12:22
slimane
3494
still the same, both/api/v1/auth/**and**/auth/**does not work
– lemoncodes
Nov 18 at 12:24
sorry scratch that, didn't notice i lackv1i used /api/v/auth/** only. Why does**/auth/**dont work?
– lemoncodes
Nov 18 at 12:27
add a comment |
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
2
down vote
accepted
your configuration only permit http://localhost:8080/auth/** not http://localhost:8080/api/v1/auth/**,
so change it to something like:
.antMatchers("/api/v1/auth/**").permitAll()
it should be the first one in the order
answered Nov 18 at 12:22
slimane
3494
still the same, both/api/v1/auth/**and**/auth/**does not work
– lemoncodes
Nov 18 at 12:24
sorry scratch that, didn't notice i lackv1i used /api/v/auth/** only. Why does**/auth/**dont work?
– lemoncodes
Nov 18 at 12:27
add a comment |
up vote
2
down vote
accepted
your configuration only permit http://localhost:8080/auth/** not http://localhost:8080/api/v1/auth/**,
so change it to something like:
.antMatchers("/api/v1/auth/**").permitAll()
it should be the first one in the order
answered Nov 18 at 12:22
slimane
3494
still the same, both/api/v1/auth/**and**/auth/**does not work
– lemoncodes
Nov 18 at 12:24
sorry scratch that, didn't notice i lackv1i used /api/v/auth/** only. Why does**/auth/**dont work?
– lemoncodes
Nov 18 at 12:27
add a comment |
up vote
2
down vote
accepted
up vote
2
down vote
accepted
your configuration only permit http://localhost:8080/auth/** not http://localhost:8080/api/v1/auth/**,
so change it to something like:
.antMatchers("/api/v1/auth/**").permitAll()
it should be the first one in the order
answered Nov 18 at 12:22
slimane
3494
your configuration only permit http://localhost:8080/auth/** not http://localhost:8080/api/v1/auth/**,
so change it to something like:
.antMatchers("/api/v1/auth/**").permitAll()
it should be the first one in the order
answered Nov 18 at 12:22
slimane
3494
answered Nov 18 at 12:22
slimane
3494
answered Nov 18 at 12:22
slimane
3494
answered Nov 18 at 12:22
slimane
3494
3494
still the same, both/api/v1/auth/**and**/auth/**does not work
– lemoncodes
Nov 18 at 12:24
sorry scratch that, didn't notice i lackv1i used /api/v/auth/** only. Why does**/auth/**dont work?
– lemoncodes
Nov 18 at 12:27
add a comment |
still the same, both/api/v1/auth/**and**/auth/**does not work
– lemoncodes
Nov 18 at 12:24
sorry scratch that, didn't notice i lackv1i used /api/v/auth/** only. Why does**/auth/**dont work?
– lemoncodes
Nov 18 at 12:27
still the same, both
/api/v1/auth/** and **/auth/** does not work– lemoncodes
Nov 18 at 12:24
still the same, both
/api/v1/auth/** and **/auth/** does not work– lemoncodes
Nov 18 at 12:24
sorry scratch that, didn't notice i lack
v1 i used /api/v/auth/** only. Why does **/auth/** dont work?– lemoncodes
Nov 18 at 12:27
sorry scratch that, didn't notice i lack
v1 i used /api/v/auth/** only. Why does **/auth/** dont work?– lemoncodes
Nov 18 at 12:27
add a comment |
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53360694%2fspring-security-http-403-forbidden%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
