When I am not logged in with Spring Security, my authentication's currentPrincipalName is anonymousUser and its method .authenticated() returns true.
However, my configuration asks certain requests to be authenticated and anonymousUser was denied.
Here is the configuration code:
@Override
protected void configure(HttpSecurity http) throws Exception {
CharacterEncodingFilter characterEncodingFilter = new CharacterEncodingFilter();
characterEncodingFilter.setEncoding("UTF-8");
characterEncodingFilter.setForceEncoding(true);
http.addFilterBefore(characterEncodingFilter, CsrfFilter.class);
http
.formLogin()//support form login
.loginPage("/login")
.and()
.authorizeRequests()
.antMatchers("/spitter/me").authenticated()
.antMatchers(HttpMethod.POST, "/spittles").authenticated()
.anyRequest().permitAll();
}
Both of the 2 antMatchers blocked anonymousUser from accessing. Is there a reason why?
Edit: Why is this a duplicate? I am asking a completely different question. That question is "why is it authenticataed?" and mine is "It is authenticated, but why not treated like one?". That question's answers do not answer my question.
Full Security config source code:
package spittr.config;
import javax.sql.DataSource;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.servlet.configuration.EnableWebMvcSecurity;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.crypto.password.StandardPasswordEncoder;
import org.springframework.security.web.csrf.CsrfFilter;
import org.springframework.web.filter.CharacterEncodingFilter;
@Configuration
@EnableWebMvcSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter{
static{
System.out.println("SecurityConfig loaded");
}
@Autowired
DataSource dataSource;
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.jdbcAuthentication()
.dataSource(dataSource)
.usersByUsernameQuery("select username, password, enabled "
+ " from spitter where username = ?")
.authoritiesByUsernameQuery("select username, role "
+ " from spitter where username =?")
.passwordEncoder(passwordEncoder());
}
@Override
protected void configure(HttpSecurity http) throws Exception {
CharacterEncodingFilter characterEncodingFilter = new CharacterEncodingFilter();
characterEncodingFilter.setEncoding("UTF-8");
characterEncodingFilter.setForceEncoding(true);
http.addFilterBefore(characterEncodingFilter, CsrfFilter.class);
http
.formLogin()//support form login
.loginPage("/login")
.and()
.authorizeRequests()
.antMatchers("/spitters/me").authenticated()
.antMatchers(HttpMethod.POST, "/spittles").authenticated()
.anyRequest().permitAll();
}
@Bean
public PasswordEncoder passwordEncoder(){
return new BCryptPasswordEncoder();
}
}
