1

I'm having a problem with Spring Security configuration, method configure(WebSecurity) isn't working properly, below is my source code:

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.addFilter(jwtAuthenticationTokenFilter())
    .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}

@Override
public void configure(WebSecurity web)  {
    web.ignoring().antMatchers("/auth", 
            "/v2/api-docs", 
            "/swagger-resources/**", 
            "/configuration/**", 
            "/swagger-ui.html",
            "/webjars/**",
            "/", "/refreshconfig", "/*.html", "/*.gif", "/favicon.ico", "/**/*.html", "/**/*.gif",
            "/**/*.css", "/**/*.js");
}


public class JwtAuthenticationTokenFilter extends BasicAuthenticationFilter {

private static final Logger log = LoggerFactory.getLogger(JwtAuthenticationTokenFilter.class);

@Autowired
private JwtTokenUtil jwtTokenUtil;

public JwtAuthenticationTokenFilter(JwtTokenUtil jwtTokenUtil, AuthenticationManager authenticationManager) {
    super(authenticationManager);
}

@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
        throws IOException, ServletException {

    String token = request.getHeader(JwtTokenUtil.TOKEN_HEADER);
    Authentication authentication = null;

    try {
        if (StringUtils.isNotBlank(token) && token.startsWith(JwtTokenUtil.TOKEN_PREFIX)) {
            log.info("JWT found {}", token);
            authentication = jwtTokenUtil.getAuthentication(token.replace(JwtTokenUtil.TOKEN_PREFIX, ""));
            SecurityContextHolder.getContext().setAuthentication(authentication);
        } else if (SecurityContextHolder.getContext().getAuthentication() != null
                && SecurityContextHolder.getContext().getAuthentication().isAuthenticated()) {
            log.info("User already authenticated {}",
                    SecurityContextHolder.getContext().getAuthentication().getPrincipal());
        } else {
            log.info("Invalid JWT {}", token);
        }
        filterChain.doFilter(request, response);
    } catch (ExpiredJwtException ex) {
        response.setContentType("application/json");
        response.setStatus(HttpStatus.SC_INSUFFICIENT_SPACE_ON_RESOURCE);
        ErrorObj err = new ErrorObj(GamblingErrors.UNAUTHORIZED.getCode(), ex.getMessage());
        log.info("OUT ERROR END: {}", err.toString());
        response.getOutputStream().println(err.toString());
    } catch (UnsupportedJwtException | MalformedJwtException | SignatureException | IllegalArgumentException ex) {
        response.setContentType("application/json");
        response.setStatus(HttpStatus.SC_UNAUTHORIZED);
        ErrorObj err = new ErrorObj(GamblingErrors.UNAUTHORIZED.getCode(), ex.getMessage());
        log.info("OUT ERROR END: {}", err.toString());
        response.getOutputStream().println(err.toString());
    }
}

}

Even with the configure(WebSecurity web) method, still the filter added at configure(HttpSecurity) applies for all the resources, not taking in count the web.ignoring. Can somebody give me an idea why it is not working?

Kristjano Xhava
  • 13
  • 6

1 Answers1

1

From your source code, which is not complete in the question, i might suggest that Spring Boot is putting JwtAuthenticationTokenFilter class automatically into the filter chain. So, although was correct to exclude /auth/ in the ignoring() method in security config, that wasn't enough to stop the filter from happening in the context of Spring Boot itself. The solution is to remove the annotation @Bean from jwtAuthenticationTokenFilter() method or to follow the other way explained in Spring Security filter chain not ignoring specified path

Fausto Carvalho Marques Silva
  • 1,688
  • 4
  • 17
  • 31