0
@Override
   protected void configure(HttpSecurity httpSecurity) throws Exception
   {
      // @formatter:off
      httpSecurity
               .csrf()
               .disable()
               .authorizeRequests()
               .antMatchers(HttpMethod.GET).permitAll()
               .anyRequest()
               .authenticated()
               .and()
               .httpBasic()
               .and()
               .exceptionHandling()
               .authenticationEntryPoint(authenticationEntryPoint());
      // @formatter:on
   }

   private static AuthenticationEntryPoint authenticationEntryPoint()
   {
      return (request, response, authException) -> {
         response.addHeader("WWW-Authenticate", "Basic realm=\"Realm\"");
         response.setContentType(MediaType.APPLICATION_JSON_VALUE);
         response.setStatus(HttpStatus.UNAUTHORIZED.value());
         String message = authException.getMessage();
         if (request.getHeaders("Authorization").hasMoreElements()) {
            message += ". Wrong Authorization Key.";
         } else {
            message += ". Missing Authorization Key im Header.";
         }
         response.getWriter().format("""
                                              {
                                                "errors":[
                                                  {
                                                    "status": %d,
                                                    "title": "%s",
                                                    "detail": "%s"
                                                  }
                                                ]
                                              }
                                              """,
                                     HttpStatus.UNAUTHORIZED.value(),
                                     HttpStatus.UNAUTHORIZED.name(),
                                     message
         );
      };
   }

why i send a post request with wrong credentials, i got:

{
    "errors": [
        {
            "status": 401,
            "title": "UNAUTHORIZED",
            "detail": "Full authentication is required to access this resource. Wrong Authorization Key."
        }
    ]
}

for a get method i don't get a formatted error:

{
    "timestamp": "2023-04-18T17:07:35.663+00:00",
    "status": 401,
    "error": "Unauthorized",
    "path": "/xxx/1111"
}

I also get a pretty response like a post

dur
  • 15,689
  • 25
  • 79
  • 125
emoleumassi
  • 4,881
  • 13
  • 67
  • 93
  • 1
    But then why a 401 on a GET if its permitAll()? if you are sending auth header with the GET remove it and see if it no longer responds with a 401. it seems to be reaching some internal spring check. Also take the permitAll() out and test if a GET hits your entry point. – John Williams Apr 18 '23 at 18:16
  • 1
    When i remove a auth header, i got a 200. I removed `.antMatchers(HttpMethod.GET).permitAll()` and i got a same error like a post request. I think the problem is with the permitAll – emoleumassi Apr 18 '23 at 18:42
  • 1
    There is a known bug/feature in spring security that causes a request to be ‘validated’ if it has an Authorization header long before the permitAll is hit. I believe that is what we have observed. Don’t pass credentials unless they are valid. – John Williams Apr 18 '23 at 18:50
  • why spring security don't call `AuthenticationEntryPoint` by pass bad credentials – emoleumassi Apr 18 '23 at 19:10

1 Answers1

1

There is a known bug/feature in spring security that causes a request to be ‘validated’ if it has an Authorization header long before the permitAll() is hit. I believe that is what we have observed. Don’t pass credentials unless they are valid.

John Williams
  • 4,252
  • 2
  • 9
  • 18