0

I have a Spring Cloud application with OAuth2 authorization:

@RestController
@RequestMapping("/product")
public class ProductController {

    @GetMapping("/categories")
    public ResponseEntity<Map<Integer, CategoryFullDTO>> getCategoriesList() {

        .......
    }
}

I added this security configuration:

@Configuration
@EnableResourceServer
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class OAuth2ResourceServerConfig extends ResourceServerConfigurerAdapter {

    @Override
    public void configure(final HttpSecurity http) throws Exception
    {
        http.authorizeRequests()
                .antMatchers(HttpMethod.OPTIONS, "/**").permitAll()
                .antMatchers(HttpMethod.POST, "/oauth/token").permitAll()
                .antMatchers(HttpMethod.GET, "/product/categories").permitAll()
                
                .anyRequest().authenticated()
                .and()
                .httpBasic().disable()
                .formLogin()
                .and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and().exceptionHandling().authenticationEntryPoint(authenticationEntryPoint)
                .and().csrf().disable();
    }
}


@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter implements WebMvcConfigurer {

    @Override
    protected void configure(HttpSecurity http) throws Exception
    {
        http.authorizeRequests()
                .antMatchers(HttpMethod.OPTIONS, "/**").permitAll()
                .antMatchers(HttpMethod.POST, "/oauth/token").permitAll()
                .antMatchers(HttpMethod.GET, "/product/categories").permitAll()

                .anyRequest().authenticated()
                .and()
                .httpBasic().disable()
                .formLogin()
                .and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and().exceptionHandling().authenticationEntryPoint(authenticationEntryPoint)
                .and().csrf().disable();

//        http.requiresChannel()
//                .anyRequest().requiresInsecure();
    }
}

Github: https://github.com/rcbandit111/OAuth2/blob/master/src/main/java/org/engine/security/WebSecurityConfig.java

When I open Angular application I get access error: Failed to load resource: the server responded with a status of 401 () for /product/categories

Do you know what configuration I need to apply in order to make this path public without mandatory authorization?

P.S when I use Postman to make request it's working. It does return data without authorization. But looks like if you have auth_token still present and it has been expired, it seems that my authorization interceptor still catches it and apply it to the request which causes the error. Looks like JWT token verification logic returns the error. How I can solve this?

Peter Penzov
  • 1,126
  • 134
  • 430
  • 808
  • Did you try config like ```web.ignoring().antMatchers("/product/categories")```? – saver Jul 10 '21 at 00:13
  • https://stackoverflow.com/questions/29503952/spring-security-for-url-with-permitall-and-expired-auth-token – FarazAhmed Jul 10 '21 at 08:37
  • See the above answer, it explains your requirement solution. However, Generally the frontend application should have an interceptor for the API calls and there it should refresh token or redirect to login page on authorization error. – FarazAhmed Jul 10 '21 at 08:42

1 Answers1

1

If your Angular application uses an interceptor that injects headers with your token, you could use HttpBackend to prevent going through the interceptor chain:

https://angular.io/api/common/http/HttpBackend

H3AR7B3A7
  • 4,366
  • 2
  • 14
  • 37