Spring Security not intercepting correctly?

Question

I have Spring Boot configuration which looks something like this:

http
    .sessionManagement()
        .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
        .and()
    .addFilterBefore( new Filter(), UsernamePasswordAuthenticationFilter.class)
    .csrf().disable() // Disabled, cause enabling it will cause sessions
    .headers()
        .frameOptions()
        .sameOrigin()
        .addHeaderWriter(new XXssProtectionHeaderWriter())
        .and()
    .authorizeRequests()
        .antMatchers("/app/**", "/rest/**").hasAuthority(DefaultPrivileges.ACCESS_TASK)
        .anyRequest().permitAll();

My understanding was only the requests which start with /app or /rest will be intercepted by my custom filter but it turns out the requests to the root (http://localhost:8080/context/) are also intercepted.

I have multiple configurations for Spring Security the other configuration looks like this:

http
    .sessionManagement()
        .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
        .and()
    .csrf().disable();

if (taskAppProperties.isRestEnabled()) {
    if (restAppProperties.isVerifyRestApiPrivilege()) {
        http
            .antMatcher("/*-api/**")
            .authorizeRequests()
                .antMatchers("/*-api/**").hasAuthority(DefaultPrivileges.ACCESS_REST_API)
                .and()
            .httpBasic();
    } else {
        http
            .antMatcher("/*-api/**")
            .authorizeRequests()
                .antMatchers("/*-api/**").authenticated()
                .and()
            .httpBasic();
    }
} else {
    http
        .antMatcher("/*-api/**")
        .authorizeRequests()
            .antMatchers("/*-api/**").denyAll();
}

Can anyone help?

`http.authorizeRequests()` means `http.antMatcher("/**").authorizeRequests()`. It means all urls will be intercepted and verified for authorization. If you want your http security configuration to be limited for very few set of URL's then you should go for `http.antMatcher("/app/**", "/rest/**").authorizeRequests()` or in advanced you can choose requestMatcher as given in [this link](https://stackoverflow.com/a/58755858/2825798) — PraveenKumar Lalasangi, Nov 15 '19 at 18:39

score 3 · Accepted Answer · answered Nov 15 '19 at 21:05

I realize this is a bit confusing, but there are actually two antMatchers methods, one that branches from authorizedRequests and another that branches from requestMatchers.

Let's look at the following declaration:

http
    .requestMatchers()
        .antMatchers("/app/**", "/api/**")
        .and()
    .authorizeRequests()
        .antMatchers("...").authenticated()
    ...

The requestMatchers() DSL is where you describe the endpoints that matter to that instance of the Spring Security filter chain. So, this filter chain will only engage for URIs that start with /app or /api.

Let's take a look at another one:

http
    .authorizeRequests()
    .antMatchers("/app/**", "/api/**")
    .authenticated();

While this may appear to be doing the same thing, it isn't. That's because you are calling the antMatchers method that belongs to authorizeRequests().

This is why indentation is important with the Spring Security DSL. Because there's a hierarchy in the DSL, then you want to indent, just like you want to indent inside your if statements.

In Spring Security 5.2, this is simplified a bit with the new lambda DSL:

http
    .requestMatchers(r -> r.antMatchers("/app/**", "/api/**"))
    .authorizeRequests(a -> a.antMatchers("...").authenticated());

score 0 · Answer 2 · answered Nov 15 '19 at 17:26

HttpSecurity.authorizeRequests - returns ExpressionInterceptUrlRegistry where we are setting Matchers and Roles condition, which will be added using method ExpressionInterceptUrlRegistry.getRegistry and if you check other usage of this method only at permitAll stub where actual authentication happens.

The filter we add using HttpSecurity.addFilterBefore will not check any Request matching. If you need, you can do one more check in your custom filter to avoid other URIs

http
  .sessionManagement()
  .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
  .and()
  .addFilterAfter( new Filter() {
      @Override
      public void init(FilterConfig filterConfig) throws ServletException {

      }

      @Override
      public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
          HttpServletRequest httpServletRequest = ((HttpServletRequest) request);
          if(httpServletRequest.getRequestURI().startsWith("/app/") || httpServletRequest.getRequestURI().startsWith("/rest/")) {
              // Do you secured filter computations

          } 
          chain.doFilter(request, response);
      }

      @Override
      public void destroy() {

      }}, UsernamePasswordAuthenticationFilter.class)
  .csrf()
  .disable() // Disabled, cause enabling it will cause sessions
  .headers()
  .frameOptions()
  .sameOrigin()
  .addHeaderWriter(new XXssProtectionHeaderWriter())
  .and()
  .authorizeRequests()
  .antMatchers("/app/**", "/rest/**")
  .hasAuthority(DefaultPrivileges.ACCESS_TASK)
  .anyRequest()
  .permitAll();

Spring Security not intercepting correctly?

2 Answers2