I'm testing spring security with the simplest maven project I can do:
I'm following this tutorial Now I have this behavior:
Can you please point out my mistake in the SecurityFilterChain bean?
I tried changing my auth2 server with these lines in application.properties:
spring.security.oauth2.client.registration.google.clientId=530421597466-qrujkh0hfnrgXXXXXXXXXXXXXXXXXXXX.apps.googleusercontent.com
spring.security.oauth2.client.registration.google.clientSecret=WN4_yZ_fB5BZB5XXXXXXXXXX
But clearly, the error is in the SecurityFilterChain bean. I've tried several changes to this file, but I'm confused about what is wrong.
Thanks in advance.
pom.xml:
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>3.1.5</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<groupId>oa.tests</groupId>
<artifactId>securitytest</artifactId>
<version>1.0</version>
<name>securitytest</name>
<description>Test for Spring security</description>
<properties>
<java.version>21</java.version>
<spring.boot.mainclass>oa.tests.securitytest.SecurityTest</spring.boot.mainclass>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-oauth2-client</artifactId>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
<configuration>
<image>
<builder>paketobuildpacks/builder-jammy-base:latest</builder>
</image>
</configuration>
</plugin>
</plugins>
</build>
</project>
SecurityTest.java:
package oa.tests.securitytest;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
@SpringBootApplication
public class SecurityTest {
public static void main(String[] args) {
SpringApplication.run(SecurityTest.class, args);
}
}
SecurityConfig.java:
package oa.tests.securitytest;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpStatus;
import static org.springframework.security.config.Customizer.withDefaults;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.authentication.HttpStatusEntryPoint;
@Configuration
@EnableWebSecurity
public class SecurityConfig {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.authorizeHttpRequests(a -> a
.requestMatchers("/index.html", "/error").permitAll()
.anyRequest().authenticated()
)
.logout(l -> l
.logoutSuccessUrl("/").permitAll()
)
.exceptionHandling(e -> e
.authenticationEntryPoint(new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED))
)
.oauth2Login(withDefaults());
return http.build();
}
}
application.properties:
spring.security.oauth2.client.registration.github.clientId=4e5e66b02640eeb2XXX
spring.security.oauth2.client.registration.github.clientSecret=acefbb827cf0c635d1331e122ba912XXXXXXXXXX
With .authenticationEntryPoint(new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED)) you ask Spring Security to return 401 Unauthorized to unauthorized requests (instead of the default which is 302 Redirect to login). This is not in the tutorial you linked and is most probably the cause for your current problem when trying to access your protected page.
I suggest that you have a look at my OAuth2 essentials and tutorials...