0

I have a springboot application that I can run locally with no issues with authentication. However when I run this build in a WAR and on a tomcat server the behavior is different.

It seems that the filterchain is not being triggered, can someone help me?

I have the following HelloController for example:

@RestController
@RequestMapping("/api/hello")
public class HelloController {

    @GetMapping("/hi")
    public String hello() {
        return "hi";
    }

    @GetMapping("/bye")
    @PreAuthorize("hasRole('USER')")
    public String bye() {
        return "bye";
    }

}

And an WebSecurityConfig as follows:

@EnableWebSecurity
@Configuration
public class WebSecurityConfig
{

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http.cors().and().csrf().disable()
                .exceptionHandling().authenticationEntryPoint(unauthorizedHandler).and()
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
                .authorizeRequests().antMatchers("/api/auth/**").permitAll()
                .antMatchers("/api/hello/**").permitAll()
                .anyRequest().authenticated();

        http.authenticationProvider(authenticationProvider());

        http.addFilterBefore(authenticationJwtTokenFilter(), UsernamePasswordAuthenticationFilter.class);

        return http.build();
    }

}

So when i call the endpoint localhost:8080/api/hello/hi it returns with hi as expected (because its public).

When i call this endpoint when deployed on tomcat, it gives me: Full authentication is required to access this resource

--edit 1--

When i comment the SecurityFilterChain, its making no difference. I guess its not right configured...

-- edit 2 --

I'm using spring-boot 2.7.5 and tomcat 8.5

Do i forget something? Thanks in advance!

Jan Verhagen
  • 79
  • 7
  • [`server.servlet.context-path`](https://docs.spring.io/spring-boot/docs/current/reference/html/application-properties.html#application-properties.server.server.servlet.context-path)!? – xerx593 Nov 26 '22 at 11:18
  • 1
    Thanks for your answer, i've tried this before but changing the context path doesnt work on an external tomcat. I've renamed my war to ROOT.war, it is deployed without application name. – Jan Verhagen Nov 26 '22 at 11:50
  • A friendly nudge to take a peek at the tomcat server.xml for your remote server. I am guessing that there is security in there. Perhaps take a peek at the authorization message on your localhost for /api/auth/ and the error message you're getting on the server. Hopefully they are different and perhaps they say which application is serving the error. Another thing you could try and do is remote debugging to verify that it is either tomcat or your app that is serving that error message. Good luck. – hooknc Nov 30 '22 at 15:34

1 Answers1

0

It looks like the security config is in web.xml inside your project or inside apache-tomcat-8.5.xx/conf/web.xml, it might look like this:

<security-constraint>
    <display-name>Spring App restriction</display-name>
    <web-resource-collection>
        <web-resource-name>Spring App restriction</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>*</role-name>
    </auth-constraint>
</security-constraint>

If no, I recommend to detect issue zone:

Deploy your app on clean tomcat server, if issue is still there, the security config is definitely in project, if no issue, check apache-tomcat-8.5.xx/conf/web.xml on any security configs or additional middle servers: load balancers, firefalls and etc.

saver
  • 2,541
  • 1
  • 9
  • 14