Spring Security HTTP 403 Forbidden











up vote
0
down vote

favorite












I've been trying to secure a rest-api resource. However, it seems that the /auth/** REST-API always throws 403 Forbidden even though i have permitted it on the configuration. see below



@Override
protected void configure(HttpSecurity http) throws Exception {
logger.info("Setting Endpoint Security.");

http
.authorizeRequests()
.antMatchers("/auth/**").permitAll()
.anyRequest().authenticated()
.and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.csrf().disable();

}


This is on the WebSecurityConfigclass extending WebSecurityConfigurerAdapter



Here is the spring security debug logs



2018-11-18 20:14:27.923  INFO 8476 --- [nio-8080-exec-1] Spring Security Debugger                 : 

************************************************************

Request received for POST '/api/v1/auth/login':

org.apache.catalina.connector.RequestFacade@1a183946

servletPath:/api/v1
pathInfo:/auth/login
headers:
content-type: application/x-www-form-urlencoded
cache-control: no-cache
postman-token: 5bd56859-b8e9-4ebf-977c-452f1bce837e
user-agent: PostmanRuntime/7.4.0
accept: */*
host: localhost:8080
cookie: JSESSIONID=D80F964AA5B53DC7F20ACF59606FA719
accept-encoding: gzip, deflate
content-length: 29
connection: keep-alive


Security filter chain: [
WebAsyncManagerIntegrationFilter
SecurityContextPersistenceFilter
HeaderWriterFilter
LogoutFilter
RequestCacheAwareFilter
SecurityContextHolderAwareRequestFilter
AnonymousAuthenticationFilter
SessionManagementFilter
ExceptionTranslationFilter
FilterSecurityInterceptor
]


************************************************************


and here is the resource i am trying to access



@Path("/auth")
@Component
public class Auth {

private static final Logger logger = LoggerFactory.getLogger(Auth.class);

@POST
@Path("/login")
@Consumes(MediaType.APPLICATION_FORM_URLENCODED)
public Response login(@FormParam("username") String user,
@FormParam("password") String pass) {
logger.info("Form-data [username] {}",user);
logger.info("Form-data [password] {}",pass);
return Response.ok().build();
}

@POST
@Path("/logout")
@Produces({ MediaType.APPLICATION_JSON })
public String logout() {
return "Login!";
}

}


Just so we are clear, i am using Jersey + Spring Boot



Here is Jersey Config



@Configuration
@ApplicationPath("api/v1")
public class JerseyConfig extends ResourceConfig{
public JerseyConfig() {

}

@PostConstruct
public void setUp() {
register(Wish.class);
register(Auth.class);
register(User.class);
register(GenericExceptionMapper.class);
}
}


Now, as what i understand on the http method series in configuremethod.



First, http auhthorizes request, matches /auth/** and permits it, other requests needs to be authorized. However, when i try requesting http://localhost:8080/api/v1/auth/login it always returns 403 Forbidden.



Can somebody point out the mistakes or maybe my understanding is not correct.










share|improve this question




























    up vote
    0
    down vote

    favorite












    I've been trying to secure a rest-api resource. However, it seems that the /auth/** REST-API always throws 403 Forbidden even though i have permitted it on the configuration. see below



    @Override
    protected void configure(HttpSecurity http) throws Exception {
    logger.info("Setting Endpoint Security.");

    http
    .authorizeRequests()
    .antMatchers("/auth/**").permitAll()
    .anyRequest().authenticated()
    .and()
    .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
    .and()
    .csrf().disable();

    }


    This is on the WebSecurityConfigclass extending WebSecurityConfigurerAdapter



    Here is the spring security debug logs



    2018-11-18 20:14:27.923  INFO 8476 --- [nio-8080-exec-1] Spring Security Debugger                 : 

    ************************************************************

    Request received for POST '/api/v1/auth/login':

    org.apache.catalina.connector.RequestFacade@1a183946

    servletPath:/api/v1
    pathInfo:/auth/login
    headers:
    content-type: application/x-www-form-urlencoded
    cache-control: no-cache
    postman-token: 5bd56859-b8e9-4ebf-977c-452f1bce837e
    user-agent: PostmanRuntime/7.4.0
    accept: */*
    host: localhost:8080
    cookie: JSESSIONID=D80F964AA5B53DC7F20ACF59606FA719
    accept-encoding: gzip, deflate
    content-length: 29
    connection: keep-alive


    Security filter chain: [
    WebAsyncManagerIntegrationFilter
    SecurityContextPersistenceFilter
    HeaderWriterFilter
    LogoutFilter
    RequestCacheAwareFilter
    SecurityContextHolderAwareRequestFilter
    AnonymousAuthenticationFilter
    SessionManagementFilter
    ExceptionTranslationFilter
    FilterSecurityInterceptor
    ]


    ************************************************************


    and here is the resource i am trying to access



    @Path("/auth")
    @Component
    public class Auth {

    private static final Logger logger = LoggerFactory.getLogger(Auth.class);

    @POST
    @Path("/login")
    @Consumes(MediaType.APPLICATION_FORM_URLENCODED)
    public Response login(@FormParam("username") String user,
    @FormParam("password") String pass) {
    logger.info("Form-data [username] {}",user);
    logger.info("Form-data [password] {}",pass);
    return Response.ok().build();
    }

    @POST
    @Path("/logout")
    @Produces({ MediaType.APPLICATION_JSON })
    public String logout() {
    return "Login!";
    }

    }


    Just so we are clear, i am using Jersey + Spring Boot



    Here is Jersey Config



    @Configuration
    @ApplicationPath("api/v1")
    public class JerseyConfig extends ResourceConfig{
    public JerseyConfig() {

    }

    @PostConstruct
    public void setUp() {
    register(Wish.class);
    register(Auth.class);
    register(User.class);
    register(GenericExceptionMapper.class);
    }
    }


    Now, as what i understand on the http method series in configuremethod.



    First, http auhthorizes request, matches /auth/** and permits it, other requests needs to be authorized. However, when i try requesting http://localhost:8080/api/v1/auth/login it always returns 403 Forbidden.



    Can somebody point out the mistakes or maybe my understanding is not correct.










    share|improve this question


























      up vote
      0
      down vote

      favorite









      up vote
      0
      down vote

      favorite











      I've been trying to secure a rest-api resource. However, it seems that the /auth/** REST-API always throws 403 Forbidden even though i have permitted it on the configuration. see below



      @Override
      protected void configure(HttpSecurity http) throws Exception {
      logger.info("Setting Endpoint Security.");

      http
      .authorizeRequests()
      .antMatchers("/auth/**").permitAll()
      .anyRequest().authenticated()
      .and()
      .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
      .and()
      .csrf().disable();

      }


      This is on the WebSecurityConfigclass extending WebSecurityConfigurerAdapter



      Here is the spring security debug logs



      2018-11-18 20:14:27.923  INFO 8476 --- [nio-8080-exec-1] Spring Security Debugger                 : 

      ************************************************************

      Request received for POST '/api/v1/auth/login':

      org.apache.catalina.connector.RequestFacade@1a183946

      servletPath:/api/v1
      pathInfo:/auth/login
      headers:
      content-type: application/x-www-form-urlencoded
      cache-control: no-cache
      postman-token: 5bd56859-b8e9-4ebf-977c-452f1bce837e
      user-agent: PostmanRuntime/7.4.0
      accept: */*
      host: localhost:8080
      cookie: JSESSIONID=D80F964AA5B53DC7F20ACF59606FA719
      accept-encoding: gzip, deflate
      content-length: 29
      connection: keep-alive


      Security filter chain: [
      WebAsyncManagerIntegrationFilter
      SecurityContextPersistenceFilter
      HeaderWriterFilter
      LogoutFilter
      RequestCacheAwareFilter
      SecurityContextHolderAwareRequestFilter
      AnonymousAuthenticationFilter
      SessionManagementFilter
      ExceptionTranslationFilter
      FilterSecurityInterceptor
      ]


      ************************************************************


      and here is the resource i am trying to access



      @Path("/auth")
      @Component
      public class Auth {

      private static final Logger logger = LoggerFactory.getLogger(Auth.class);

      @POST
      @Path("/login")
      @Consumes(MediaType.APPLICATION_FORM_URLENCODED)
      public Response login(@FormParam("username") String user,
      @FormParam("password") String pass) {
      logger.info("Form-data [username] {}",user);
      logger.info("Form-data [password] {}",pass);
      return Response.ok().build();
      }

      @POST
      @Path("/logout")
      @Produces({ MediaType.APPLICATION_JSON })
      public String logout() {
      return "Login!";
      }

      }


      Just so we are clear, i am using Jersey + Spring Boot



      Here is Jersey Config



      @Configuration
      @ApplicationPath("api/v1")
      public class JerseyConfig extends ResourceConfig{
      public JerseyConfig() {

      }

      @PostConstruct
      public void setUp() {
      register(Wish.class);
      register(Auth.class);
      register(User.class);
      register(GenericExceptionMapper.class);
      }
      }


      Now, as what i understand on the http method series in configuremethod.



      First, http auhthorizes request, matches /auth/** and permits it, other requests needs to be authorized. However, when i try requesting http://localhost:8080/api/v1/auth/login it always returns 403 Forbidden.



      Can somebody point out the mistakes or maybe my understanding is not correct.










      share|improve this question















      I've been trying to secure a rest-api resource. However, it seems that the /auth/** REST-API always throws 403 Forbidden even though i have permitted it on the configuration. see below



      @Override
      protected void configure(HttpSecurity http) throws Exception {
      logger.info("Setting Endpoint Security.");

      http
      .authorizeRequests()
      .antMatchers("/auth/**").permitAll()
      .anyRequest().authenticated()
      .and()
      .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
      .and()
      .csrf().disable();

      }


      This is on the WebSecurityConfigclass extending WebSecurityConfigurerAdapter



      Here is the spring security debug logs



      2018-11-18 20:14:27.923  INFO 8476 --- [nio-8080-exec-1] Spring Security Debugger                 : 

      ************************************************************

      Request received for POST '/api/v1/auth/login':

      org.apache.catalina.connector.RequestFacade@1a183946

      servletPath:/api/v1
      pathInfo:/auth/login
      headers:
      content-type: application/x-www-form-urlencoded
      cache-control: no-cache
      postman-token: 5bd56859-b8e9-4ebf-977c-452f1bce837e
      user-agent: PostmanRuntime/7.4.0
      accept: */*
      host: localhost:8080
      cookie: JSESSIONID=D80F964AA5B53DC7F20ACF59606FA719
      accept-encoding: gzip, deflate
      content-length: 29
      connection: keep-alive


      Security filter chain: [
      WebAsyncManagerIntegrationFilter
      SecurityContextPersistenceFilter
      HeaderWriterFilter
      LogoutFilter
      RequestCacheAwareFilter
      SecurityContextHolderAwareRequestFilter
      AnonymousAuthenticationFilter
      SessionManagementFilter
      ExceptionTranslationFilter
      FilterSecurityInterceptor
      ]


      ************************************************************


      and here is the resource i am trying to access



      @Path("/auth")
      @Component
      public class Auth {

      private static final Logger logger = LoggerFactory.getLogger(Auth.class);

      @POST
      @Path("/login")
      @Consumes(MediaType.APPLICATION_FORM_URLENCODED)
      public Response login(@FormParam("username") String user,
      @FormParam("password") String pass) {
      logger.info("Form-data [username] {}",user);
      logger.info("Form-data [password] {}",pass);
      return Response.ok().build();
      }

      @POST
      @Path("/logout")
      @Produces({ MediaType.APPLICATION_JSON })
      public String logout() {
      return "Login!";
      }

      }


      Just so we are clear, i am using Jersey + Spring Boot



      Here is Jersey Config



      @Configuration
      @ApplicationPath("api/v1")
      public class JerseyConfig extends ResourceConfig{
      public JerseyConfig() {

      }

      @PostConstruct
      public void setUp() {
      register(Wish.class);
      register(Auth.class);
      register(User.class);
      register(GenericExceptionMapper.class);
      }
      }


      Now, as what i understand on the http method series in configuremethod.



      First, http auhthorizes request, matches /auth/** and permits it, other requests needs to be authorized. However, when i try requesting http://localhost:8080/api/v1/auth/login it always returns 403 Forbidden.



      Can somebody point out the mistakes or maybe my understanding is not correct.







      spring rest jersey spring-security-rest






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Nov 18 at 12:16

























      asked Nov 18 at 12:08









      lemoncodes

      96582539




      96582539
























          1 Answer
          1






          active

          oldest

          votes

















          up vote
          2
          down vote



          accepted










          your configuration only permit http://localhost:8080/auth/** not http://localhost:8080/api/v1/auth/**,



          so change it to something like:



          .antMatchers("/api/v1/auth/**").permitAll()


          it should be the first one in the order






          share|improve this answer





















          • still the same, both /api/v1/auth/** and **/auth/** does not work
            – lemoncodes
            Nov 18 at 12:24










          • sorry scratch that, didn't notice i lack v1 i used /api/v/auth/** only. Why does **/auth/** dont work?
            – lemoncodes
            Nov 18 at 12:27













          Your Answer






          StackExchange.ifUsing("editor", function () {
          StackExchange.using("externalEditor", function () {
          StackExchange.using("snippets", function () {
          StackExchange.snippets.init();
          });
          });
          }, "code-snippets");

          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "1"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














           

          draft saved


          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53360694%2fspring-security-http-403-forbidden%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes








          up vote
          2
          down vote



          accepted










          your configuration only permit http://localhost:8080/auth/** not http://localhost:8080/api/v1/auth/**,



          so change it to something like:



          .antMatchers("/api/v1/auth/**").permitAll()


          it should be the first one in the order






          share|improve this answer





















          • still the same, both /api/v1/auth/** and **/auth/** does not work
            – lemoncodes
            Nov 18 at 12:24










          • sorry scratch that, didn't notice i lack v1 i used /api/v/auth/** only. Why does **/auth/** dont work?
            – lemoncodes
            Nov 18 at 12:27

















          up vote
          2
          down vote



          accepted










          your configuration only permit http://localhost:8080/auth/** not http://localhost:8080/api/v1/auth/**,



          so change it to something like:



          .antMatchers("/api/v1/auth/**").permitAll()


          it should be the first one in the order






          share|improve this answer





















          • still the same, both /api/v1/auth/** and **/auth/** does not work
            – lemoncodes
            Nov 18 at 12:24










          • sorry scratch that, didn't notice i lack v1 i used /api/v/auth/** only. Why does **/auth/** dont work?
            – lemoncodes
            Nov 18 at 12:27















          up vote
          2
          down vote



          accepted







          up vote
          2
          down vote



          accepted






          your configuration only permit http://localhost:8080/auth/** not http://localhost:8080/api/v1/auth/**,



          so change it to something like:



          .antMatchers("/api/v1/auth/**").permitAll()


          it should be the first one in the order






          share|improve this answer












          your configuration only permit http://localhost:8080/auth/** not http://localhost:8080/api/v1/auth/**,



          so change it to something like:



          .antMatchers("/api/v1/auth/**").permitAll()


          it should be the first one in the order







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Nov 18 at 12:22









          slimane

          3494




          3494












          • still the same, both /api/v1/auth/** and **/auth/** does not work
            – lemoncodes
            Nov 18 at 12:24










          • sorry scratch that, didn't notice i lack v1 i used /api/v/auth/** only. Why does **/auth/** dont work?
            – lemoncodes
            Nov 18 at 12:27




















          • still the same, both /api/v1/auth/** and **/auth/** does not work
            – lemoncodes
            Nov 18 at 12:24










          • sorry scratch that, didn't notice i lack v1 i used /api/v/auth/** only. Why does **/auth/** dont work?
            – lemoncodes
            Nov 18 at 12:27


















          still the same, both /api/v1/auth/** and **/auth/** does not work
          – lemoncodes
          Nov 18 at 12:24




          still the same, both /api/v1/auth/** and **/auth/** does not work
          – lemoncodes
          Nov 18 at 12:24












          sorry scratch that, didn't notice i lack v1 i used /api/v/auth/** only. Why does **/auth/** dont work?
          – lemoncodes
          Nov 18 at 12:27






          sorry scratch that, didn't notice i lack v1 i used /api/v/auth/** only. Why does **/auth/** dont work?
          – lemoncodes
          Nov 18 at 12:27




















           

          draft saved


          draft discarded



















































           


          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53360694%2fspring-security-http-403-forbidden%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          "Incorrect syntax near the keyword 'ON'. (on update cascade, on delete cascade,)

          Alcedinidae

          Origin of the phrase “under your belt”?