After upgraded to Spring Boot 3.0.0 from 2.7.6, public API are not accessible.
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
return http
.csrf(CsrfConfigurer::disable)
.authorizeHttpRequests(requests -> requests
.anyRequest().authenticated())
.oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt)
.build();
}
@Bean
public WebSecurityCustomizer webSecurityCustomizer() {
return web -> web
.ignoring()
.requestMatchers(CorsUtils::isPreFlightRequest)
.requestMatchers("/actuator/**", "/graphiql/**", "/voyager/**", "/vendor/**", "/rest/**",
"/swagger-ui/**", "/v3/api-docs/**");
}
You are almost there: move requestMatchers
with permitAll
to SecurityFilterChain
definition (and remove WebSecurityCustomizer
):
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
return http.csrf(CsrfConfigurer::disable)
.authorizeHttpRequests(requests -> requests
.requestMatchers("/resources/**", "/signup", "/about").permitAll()
.anyRequest().authenticated())
.oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt)
.build();
}
Also, make sure the configuration class containing your SecurityFilterChain
bean declaration is decorated with @Configuration
(set a breakpoint or log line to ensure it is instantiated).
Few notes:
http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
http.cors().configurationSource(corsConfigurationSource())
jwtAuthenticationConverter
to JWT oauth2ResourceServer
configurerYou can do all of above with no Java conf (just a few properties) with thin wrappers around spring-boot-starter-oauth2-resource-server
I wrote:
<dependency>
<groupId>com.c4-soft.springaddons</groupId>
<artifactId>spring-addons-webmvc-jwt-resource-server</artifactId>
<version>6.0.9</version>
</dependency>
@Configuration
@EnableMethodSecurity
public static class SecurityConfig {
}
com.c4-soft.springaddons.security.issuers[0].location=https://localhost:8443/realms/master
# This is adapted to Keycloak with a client-id spring-addons-public. Replace with the claim(s) your authorization-server puts roles into
com.c4-soft.springaddons.security.issuers[0].authorities.claims=realm_access.roles,resource_access.spring-addons-public.roles
# you might want something more restrictive as allowed origins (accepts a list), at least for a part of your endpoints
com.c4-soft.springaddons.security.cors[0].path=/**
com.c4-soft.springaddons.security.cors[0].allowed-origins=*
Complete (short) tutorials there (with spring libs only or "my" wrappers): https://github.com/ch4mpy/spring-addons/tree/master/samples/tutorials