1

I have an endpoint (GetMapping( "/testendpoint" )) that I want to leave without my authentication filter running. But no matter what I do, it still calls the filter and rejects it as 401 since there's no Jwt in the header.

NOTE: It only calls the filter once.

How do I make it unsecured and keep it from calling the filter?

@EnableWebSecurity
@Import( { Config.class } )
@EnableConfigurationProperties( { JwtProperties.class } )
public class SecurityConfig extends WebSecurityConfigurerAdapter
{
    @Autowired
    private JwtProperties jwtProperties;

    @Override
    public void configure(WebSecurity web) throws Exception
    {
        web.ignoring()
            .antMatchers( "/swagger-ui.html" ) //This goes through without security
            .antMatchers( "/metrics" ) //This calls the filter
            .antMatchers( "/testendpoint" ); //This calls the filter
    }


    @Override
    protected void configure(HttpSecurity http) throws Exception
    {
        JWTAuthenticationFilter jwtAuthenticationFilter = new JWTAuthenticationFilter( jwtProperties );
        ExceptionHandlerFilter exceptionHandlerFilter = new ExceptionHandlerFilter();
        http.csrf().disable().authorizeRequests()
            .antMatchers( "/" ).permitAll()
            .antMatchers( "/testendpoint" ).permitAll() //Doesn't stop the filter
            .and()
            .addFilterAfter( jwtAuthenticationFilter, BasicAuthenticationFilter.class )
            .addFilterBefore( exceptionHandlerFilter, JWTAuthenticationFilter.class );
            /* Adding the below also did not work
            .authorizeRequests()
            .antMatchers( "/testendpoint/**" ).permitAll();
            */
    }
}

My endpoint is an actuator endpoint:

@Configuration
@ManagementContextConfiguration
@CacheController
public class TestController extends AbstractMvcEndpoint
{
    @GetMapping( value = "/testendpoint", produces = MediaType.APPLICATION_JSON_UTF8_VALUE )
    public String getSomething(HttpServletRequest request) throws Exception
    {
        return "hello";
    }
}
Don Rhummy
  • 24,730
  • 42
  • 175
  • 330
  • Try `web.ignoring().antMatchers( "/swagger-ui.html", "/metrics", "/testendpoint");` – Ritesh Jan 27 '18 at 13:08
  • @Ritesh That didn't fix it – Don Rhummy Jan 27 '18 at 18:05
  • @dur It's still not my answer. The problem is that it's throwing an unauthorized exception when it should be allowing my "/testendpoint". That's the issue I'm asking about. – Don Rhummy Jan 27 '18 at 18:22
  • @DonRhummy: Please read the other question and do it like in the accepted answer. Sure, your filter is throwing an exception, because it should not be executed at all. – dur Jan 27 '18 at 18:26

1 Answers1

0

If you have endpoint that is just used during testing, just place it in src/test/java instead of src/main/java. That way it will be autowired only during test phase and will not be present in production code.

That way you can skip ignore configuration in production spring security config.

luboskrnac
  • 23,973
  • 10
  • 81
  • 92