Search code examples
spring-bootspring-securityspring-oauth2

web.ignoring() is not working when addFilterBefore(customFilter(), AbstractPreAuthenticatedProcessingFilter.class) is present

Using Spring boot 2.2.4.RELEASE, spring-security-oauth2-2.3.3, spring-security-web-5.2.1.

I have set up successfully my oauth2 server and secured my endpoints using WebSecurityConfigurerAdapter and ResourceServerConfigurer.

The problem I'm having is that when I use addFilterBefore(customFilter(), AbstractPreAuthenticatedProcessingFilter.class) in my ResourceServerConfigurer. Calling unsecured paths still try to authenticate instead of being ignored, the request tries to pass through my customFilter().

I did set up all my custom filters manually and not as beans so they won't be added automatically by spring to the filter chain, but I still get this behavior. I also used ("/rest/**", "/api/**") ant matchers so customFilter() applies only when encountering these paths, but I also still get this behavior.

On server startup I do see this, which is intended:

org.springframework.security.web.DefaultSecurityFilterChain - Creating filter chain: Ant [pattern='/usecured*'], []
org.springframework.security.web.DefaultSecurityFilterChain - Creating filter chain: Ant [pattern='/unsecured2*'], []
org.springframework.security.web.DefaultSecurityFilterChain - Creating filter chain: Ant [pattern='/usecured3*'], []

My WebSecurityConfigurerAdapter

@EnableWebSecurity
@Configuration
@Order(1) // order 1 so it applies before ResourceServerConfigurer paths
@EnableGlobalMethodSecurity(prePostEnabled = true, proxyTargetClass = true)
public class ApiSecurityRestLoginConfig extends WebSecurityConfigurerAdapter {

    //...

    @Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring().antMatchers("/usecured*","/unsecured2*","/usecured3*");
    }
}

My ResourceServerConfigurer

@EnableResourceServer
@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true, proxyTargetClass = true)
public class ApiSecurityResourceServerConfig implements ResourceServerConfigurer {

    //...

    @Override
    public void configure(HttpSecurity http) throws Exception {
        http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
        http.authorizeRequests().antMatchers("/rest/**", "/api/**").authenticated()
                .and()
                //..
                .addFilterBefore(customFilter(), AbstractPreAuthenticatedProcessingFilter.class) // <-- when I remove this line, web.ignoring() works, otherwise it doesn't.
                //..
    }
}

Is this a bug or I'm approaching it the wrong way?

Solution

  • For reference

    I updated my web.ignoring() code to this

    @Override
public void configure(WebSecurity web) throws Exception {
    web.ignoring().antMatchers("/usecured*/**","/unsecured2*/**","/usecured3*/**");
}

    and it worked.