SpringSecurity using memory authentication don't returns error 403 in http put method

Question

I don't receive the error 403 in http "put" method using SpringSecurity in memory authentication. The method returned 200 when it should return 403. The same code using http "post" method works normally. Note the exemple:

The Websecurity configuration:

@Configuration
public class WebSecutiryConfigurer extends WebSecurityConfigurerAdapter {

    @Override
    @Bean
    protected AuthenticationManager authenticationManager() throws Exception {
        return super.authenticationManager();
    }

    @Override
    @Bean
    protected UserDetailsService userDetailsService() {
        return super.userDetailsService();
    }

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication().passwordEncoder(passwordEncoder()).withUser("11111111111")
                .password(passwordEncoder().encode("minhasenha")).roles("Administrador").and().withUser("22222222222")
                .password(passwordEncoder().encode("minhasenha")).roles("Consulta");
    }

}

This is my ResourceServerConfigurerAdapter:

@Configuration
public class ResourceServerConfigurer extends ResourceServerConfigurerAdapter {

    @Override
    public void configure(HttpSecurity http) throws Exception {
        
         http
          .csrf().disable()
            .authorizeRequests()

        
                .antMatchers(HttpMethod.GET, "/v1/cnaes").hasAnyRole("Administrador", "Alteracao", "Consulta")
                .antMatchers(HttpMethod.POST, "/v1/cnaes").hasRole("Administrador")
                .antMatchers(HttpMethod.DELETE, "/v1/cnaes").hasRole("Administrador")
                .antMatchers(HttpMethod.PUT, "/v1/cnaes/delete").hasRole("Administrador")
                .antMatchers(HttpMethod.PUT, "/v1/cnaes").hasRole("Administrador")

              .and()
                .anonymous().disable()
                .exceptionHandling();
                
    }
}

This is my method in a test class:

@SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT)
public class CnaeTeste {

    @LocalServerPort
    private int port;

    private String urlGeracaoToken = "http://localhost:8088/oauth/token";

    private String oauthTokenPerfilAdministrador;
    private String oauthTokenPerfilConsulta;

    @Before
    public void setup() {

        RestAssured.baseURI = "http://localhost:5555/mysystem/v1/cnaes";

    }

    @Before
    public void autenticarPerfilAdministrador() {

        Response response = RestAssured.given().auth().basic("usuario-bearer", "omissospj-pwd-bearer")
                .formParam("scope", "intranet").formParam("username", "07068684718").formParam("password", "minhasenha")
                .formParam("grant_type", "password").when().post(this.urlGeracaoToken);
        this.oauthTokenPerfilAdministrador = response.jsonPath().get("access_token");

    }

    @Before
    public void autenticarPerfilConsulta() {

        Response response = RestAssured.given().auth().basic("usuario-bearer", "omissospj-pwd-bearer")
                .formParam("scope", "intranet").formParam("username", "22222222222").formParam("password", "minhasenha")
                .formParam("grant_type", "password").when().post(this.urlGeracaoToken);
        this.oauthTokenPerfilConsulta = response.jsonPath().get("access_token");

    }

    @Test
    public void falhaAtualizarQuandoUsuarioPerfilAlteracaoStatusCode403() throws Exception {

        // insert
        Cnae cnae = new Cnae(0L, "2222222", "CNAE de Teste - Criada - Perfil Administrador", false);

        ObjectWriter ow = new ObjectMapper().writer().withDefaultPrettyPrinter();
        String json = ow.writeValueAsString(cnae);

        Response responseInclusao = RestAssured.given()
                .headers("Authorization", "Bearer " + this.oauthTokenPerfilAdministrador, "Content-Type",
                        ContentType.JSON, "Accept", ContentType.JSON)
                .body(json).when().post();

        Assertions.assertThat(responseInclusao.getStatusCode()).isEqualTo(201);

        // update
        String stringResponse = responseInclusao.getBody().asString();
        JSONObject jsonObject = new JSONObject(stringResponse);
        String idCadastrado = jsonObject.getString("id");
        Long idAtualizado = Long.parseLong(idCadastrado);

        cnae = new Cnae(idAtualizado, "2222222", "CNAE de Teste - Atualizada - Perfil Alteração", false);

        ow = new ObjectMapper().writer().withDefaultPrettyPrinter();
        json = ow.writeValueAsString(cnae);

        Response responseAlteracao = RestAssured.given().headers("Authorization",
                "Bearer " + this.oauthTokenPerfilConsulta, "Content-Type", ContentType.JSON, "Accept", ContentType.JSON)
                .body(json).when().put("/" + idCadastrado);

        Assertions.assertThat(responseAlteracao.getStatusCode()).isEqualTo(403);

        // delete
        Response responseExcluir = RestAssured.given()
                .headers("Authorization", "Bearer " + this.oauthTokenPerfilAdministrador, "Content-Type",
                        ContentType.JSON, "Accept", ContentType.JSON)
                .when().delete("/" + idCadastrado).then().extract().response();

        Assertions.assertThat(responseExcluir.getStatusCode()).isEqualTo(200);

    }
}

I'm receive the 200 status code, when I expect to receive 403:

Assertions.assertThat(responseAlteracao.getStatusCode()).isEqualTo(403);

Any suggestion?

Answer 1

Is it also failing for delete, or only put?

Your put is directed to the url
http://localhost:5555/mysystem/v1/cnaes/idCadastrado

but you only match for /v1/cnaes :
.antMatchers(HttpMethod.PUT, "/v1/cnaes").hasRole("Administrador")

Maybe you need to ensure that other requests be authenticated:
.antMatchers(HttpMethod.PUT, "/v1/cnaes/**").authenticated() or
.antMatchers(HttpMethod.PUT, "/v1/cnaes/**").hasRole("Administrador") or
.anyRequest().hasRole("Administrador") (place at the end after adding all other antMatchers)

It should still fail if there is no mapping in your controller to /v1/cnaes/:id, but I cannot see your controller entry points in the code you provided. I imagine that if the entry point exists, with the security level of @PreAuthorize("permitAll"), then you are successfully invoking it.