Search code examples
spring-securitymigrationspring-security-6

migrate filter for specific antMatchers to spring-security 6

I am currently in the process of migrating our services to spring boot 3 with spring security 6.

While doing so I am currently hanging on the problem, that I want to establish a filter only for one set of endpoints:


  @Bean
  @Order(10)
  SecurityFilterChain internalEndpointsFilterChain(HttpSecurity http) {
    http.csrf().disable()
        .sessionManagement().sessionCreationPolicy(STATELESS)
        .and()
        .antMatcher("/cache/**") <<<-- Problem
        .addFilterBefore(sharedSecretAuthenticationFilter(), ExceptionTranslationFilter)
        .exceptionHandling({ exceptionHandling ->
          exceptionHandling.authenticationEntryPoint(new UnauthorizedAuthenticationEntryPoint())
        })
        .authorizeRequests({ authorizeRequests ->
          authorizeRequests.anyRequest().fullyAuthenticated()
        })
        .build()
  }

When I migrate whatever I change here I just always get a 401 for those endpoints.

My try:

    http.csrf { it.disable() }
        .sessionManagement { it.sessionCreationPolicy(STATELESS) }
        .securityMatcher("/cache/**")
        .addFilterBefore(sharedSecretAuthenticationFilter(), ExceptionTranslationFilter)
        .exceptionHandling({ exceptionHandling ->
          exceptionHandling.authenticationEntryPoint(new UnauthorizedAuthenticationEntryPoint())
        })
        .authorizeHttpRequests({ authorizeRequests ->
          authorizeRequests
              .anyRequest().fullyAuthenticated()
        })
        .build()

Edit after comment: It is important that we need to tie this security chain to the regex above as we have a different chain for the rest of the endpoints, which is configured in a lib and included in our service:

  @Bean
  @Order(10)
  SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http) throws Exception {
    http.csrf().disable()
        .sessionManagement().sessionCreationPolicy(STATELESS)
        .and()
        .addFilterAfter(oauthAuthenticationFilter(jwtProcessor), LogoutFilter)
        .addFilterAfter(authenticationLessModeAuthenticationFilter(), OAuthAuthenticationFilter)
        .exceptionHandling({ exceptionHandling ->
          exceptionHandling.authenticationEntryPoint(new UnauthorizedAuthenticationEntryPoint())
        })
        .authorizeHttpRequests({ authorizeRequests ->
          authorizeRequests
              .requestMatchers(antMatcher("/error")).permitAll()
              .anyRequest().fullyAuthenticated()
        })
        .build()
  }

Any idea what I am doing wrong?

Solution

  • IF the problem is in migration and before you did it all worked great the problem is in internalEndpointsFilterChain configuration.

    Based on Migration Guide

    UPDATE

    Can you try next one implementation and give me a feedback if it help you.

      @Bean
  @Order(10)
  SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {

    http.csrf(AbstractHttpConfigurer::disable);
    http.sessionManagement(sessionAuthenticationStrategy ->
        sessionAuthenticationStrategy.sessionCreationPolicy(SessionCreationPolicy.STATELESS));
    http.securityMatcher("/cache/**")
        .authorizeHttpRequests(request ->
            request.anyRequest().fullyAuthenticated());
    http.addFilterBefore(sharedSecretAuthenticationFilter(), ExceptionTranslationFilter.class);
    http.exceptionHandling(exception -> exception.authenticationEntryPoint(new UnauthorizedAuthenticationEntryPoint()));

    return http.build();
  }