1

i'm using spring-boot-starter-oauth2-resource-server 2.3.6.RELEASE. As described here the security config has to be done by providing:

@Bean
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
    http
        .authorizeExchange(exchanges -> exchanges
            .pathMatchers("/message/**").hasAuthority("SCOPE_message:read")
            .anyExchange().authenticated()
        )
        .oauth2ResourceServer(oauth2 -> oauth2
            .jwt(withDefaults())
        );
    return http.build();
}

Does anybody has an idea, how to add a "public" endpoint in the resource server, that is accessible ba an anonymous user?

Thanks Fredy

--- update 17.2.2021 8:43 ---
I changed the code as suggested, but still get a Access Denied. In org.springframework.security.access.expression.SecurityExpressionRoot
Line 111 -> isAuthenticated() is returning false. That's correct, but for me just not so great.

@Bean
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
    http
            .authorizeExchange(exchanges -> exchanges
                    .pathMatchers("/init").permitAll()
                    .pathMatchers("/message/**").hasAuthority("SCOPE_message:read")
                    .anyExchange().authenticated())
            .oauth2ResourceServer(oauth2 -> oauth2.jwt(withDefaults()));
    return http.build();
}

Log:

2021-02-17 08:33:11 DEBUG [http-nio-8082-exec-2] org.springframework.security.web.FilterChainProxy [FilterChainProxy.java:328] /error at position 11 of 12 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2021-02-17 08:33:11 DEBUG [http-nio-8082-exec-2] org.springframework.security.web.FilterChainProxy [FilterChainProxy.java:328] /error at position 12 of 12 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2021-02-17 08:33:11 DEBUG [http-nio-8082-exec-2] org.springframework.security.web.access.intercept.FilterSecurityInterceptor [AbstractSecurityInterceptor.java:219] Secure object: FilterInvocation: URL: /error; Attributes: [authenticated]
2021-02-17 08:33:11 DEBUG [http-nio-8082-exec-2] org.springframework.security.web.access.intercept.FilterSecurityInterceptor [AbstractSecurityInterceptor.java:348] Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@615c75f9: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@166c8: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 1CF0ACC15C790FEA93EF30F39DDC6492; Granted Authorities: ROLE_ANONYMOUS
2021-02-17 08:33:11 DEBUG [http-nio-8082-exec-2] org.springframework.security.access.vote.AffirmativeBased [AffirmativeBased.java:66] Voter: org.springframework.security.web.access.expression.WebExpressionVoter@4e3ebe19, returned: -1
2021-02-17 08:33:11 DEBUG [http-nio-8082-exec-2] org.springframework.security.web.access.ExceptionTranslationFilter [ExceptionTranslationFilter.java:180] Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied
    at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:84)
    at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:233)
    at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:123)
    at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:90)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
    at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:118)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
    at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:137)
naturzukunft
  • 79
  • 1
  • 8

2 Answers2

0

A public endpoint is added in the same way that the /message endpoint was added:

http
    .authorizeExchange(exchanges -> exchanges
        .pathMatchers("/my/public/endpoint").permitAll()
        .pathMatchers("/message/**").hasAuthority("SCOPE_message:read")
        .anyExchange().authenticated()
    )
    // ...

The path matchers are interpreted one at a time for each request. The rules from the first path match are applied.

jzheaux
  • 7,042
  • 3
  • 22
  • 36
  • Yes, that is what i also expect, but it doesn't work. org.springframework.security.access.expression.SecurityExpressionRoot Line 111 isAuthenticated() is returning false. That's correct, but for me just not so great ;-) How can i add the log here, without everything exploding? I will add a new comment. – naturzukunft Feb 17 '21 at 07:39
0

The reason was that the WebSecurityConfig was not in the "scanBasePackages" of @SpringBootApplication.

naturzukunft
  • 79
  • 1
  • 8
  • this is wrong, this question is about reactive version of the stack, the configuration class uses the `@EnableWebFluxSecurity` annotation which relies on `WebFluxSecurityConfiguration` and not the `@EnableWebSecurity` which relies on `WebSecurityConfig`, traditional and reactive tools do not work together as said here https://stackoverflow.com/questions/53847627/spring-webflux-with-traditional-web-security – mrq Nov 16 '22 at 09:20