Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Completed 403 FORBIDDEN in spring-reactive-sample-boot-data-mongo when doing post #7

Closed
darmandovargas3 opened this issue Nov 22, 2018 · 4 comments
Closed

Completed 403 FORBIDDEN in spring-reactive-sample-boot-data-mongo when doing post #7

darmandovargas3 opened this issue Nov 22, 2018 · 4 comments

Comments

@darmandovargas3
Copy link

Hi dear Hantsy

Before all I want to thank you for this awesome collection of samples.

I'm working on the spring-reactive-sample-boot-data-mongo, my problem is with something I guess beyond the authentication, I know you have a portion of your documentation about it (https://github.com/hantsy/spring-reactive-sample#security-for-webflux) the thing is that no mater if I use your same curl with username and password of you sample, I always get this result in postman:

CSRF Token has been associated to this client

and in the backend I got this:

2018-11-21 22:07:28.968 DEBUG 46190 --- [ctor-http-nio-1] o.s.w.s.adapter.HttpWebHandlerAdapter : [feb8e527] HTTP POST "/posts"
2018-11-21 22:07:28.974 DEBUG 46190 --- [ctor-http-nio-1] o.s.w.s.adapter.HttpWebHandlerAdapter : [feb8e527] Completed 403 FORBIDDEN
2018-11-21 22:07:39.423 DEBUG 46190 --- [ctor-http-nio-1] o.s.w.s.adapter.HttpWebHandlerAdapter : [feb8e527] HTTP DELETE "/posts/5bf616be20058db33b1939ad"
2018-11-21 22:07:39.425 DEBUG 46190 --- [ctor-http-nio-1] o.s.w.s.adapter.HttpWebHandlerAdapter : [feb8e527] Completed 403 FORBIDDEN

a bunch of Completed 403 FORBIDDEN messages, do you have an idea what is it ?

Thanks a lot for you time

Best Regards
Diego Vargas
@darmandovargas3
Copy link
Author

Here is my call just for your information:

CSRF Token has been associated to this clientDiegos-MBP:engine-monitor-speedman-enterprise Diego$ curl -v -X POST http://localhost:8080/posts -u "admin:admin123" -H "Content-Type:application/json" -d "{\ My Post"}"y Post","content":"content of
Note: Unnecessary use of -X or --request, POST is already inferred.

  • Trying ::1...
  • TCP_NODELAY set
  • Connected to localhost (::1) port 8080 (#0)
  • Server auth using Basic with user 'admin'

POST /posts HTTP/1.1
Host: localhost:8080
Authorization: Basic YWRtaW46YWRtaW4xMjM=
User-Agent: curl/7.60.0
Accept: /
Content-Type:application/json
Content-Length: 50

  • upload completely sent off: 50 out of 50 bytes
    < HTTP/1.1 403 Forbidden
    < transfer-encoding: chunked
    < Content-Type: text/plain
    < Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    < Pragma: no-cache
    < Expires: 0
    < X-Content-Type-Options: nosniff
    < X-Frame-Options: DENY
    < X-XSS-Protection: 1 ; mode=block
    < Referrer-Policy: no-referrer
    <
  • Connection #0 to host localhost left intact

@darmandovargas3
Copy link
Author

Hi Hantsy
I did add this " .csrf().disable()" to the springWebFilterChain, which got rid of the 403 issue, but, now always it returns 401, no matter what username and password I do define in userDetailsRepository and pass them to the curl command:

return http
.csrf().disable()
.authorizeExchange()
.pathMatchers(HttpMethod.GET, "/posts/").permitAll()
.pathMatchers(HttpMethod.DELETE, "/posts/").hasRole("ADMIN")
.pathMatchers("/posts/").authenticated()
//.pathMatchers("/users/{user}/").access(this::currentUserMatchesPath)
.anyExchange().permitAll()
.and()
.build();

This is my UserDetailRepository:

@bean
public MapReactiveUserDetailsService userDetailsRepository() {
UserDetails rob = User.withUsername("test").password("test123").roles("USER").build();
UserDetails admin = User.withUsername("admin").password("admin123").roles("USER", "ADMIN").build();
return new MapReactiveUserDetailsService(rob, admin);
}

and this is my curl call:

curl -v -X POST http://localhost:8080/posts -u "admin:admin123" -H "Content-Type:application/json" -d "{"title":"My Post","content":"content of My Post"}"

This is my response:

Diegos-MBP:engine-monitor-speedman-enterprise Diego$ curl -v -X POST http://localhost:8080/posts -u "admin:admin123" -H "Content-Type:application/json" -d "{"title":"My Post","content":"content of My Post"}"
Note: Unnecessary use of -X or --request, POST is already inferred.

  • Trying ::1...
  • TCP_NODELAY set
  • Connected to localhost (::1) port 8080 (#0)
  • Server auth using Basic with user 'admin'

POST /posts HTTP/1.1
Host: localhost:8080
Authorization: Basic YWRtaW46YWRtaW4xMjM=
User-Agent: curl/7.60.0
Accept: /
Content-Type:application/json
Content-Length: 50

  • upload completely sent off: 50 out of 50 bytes
    < HTTP/1.1 401 Unauthorized
  • Authentication problem. Ignoring this.
    < WWW-Authenticate: Basic realm="Realm"
    < Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    < Pragma: no-cache
    < Expires: 0
    < X-Content-Type-Options: nosniff
    < X-Frame-Options: DENY
    < X-XSS-Protection: 1 ; mode=block
    < Referrer-Policy: no-referrer
    < content-length: 0
    <
  • Connection #0 to host localhost left intact

@darmandovargas3
Copy link
Author

Hi Hantsy

I think I finally make it work in my local, I had to add not only .csrf().disable() but also this .httpBasic(), here is my SecurityConfig file:

`package com.example.demo;

import org.springframework.context.annotation.Bean;
import org.springframework.http.HttpMethod;
import org.springframework.security.authorization.AuthorizationDecision;
import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
import org.springframework.security.config.web.server.ServerHttpSecurity;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.userdetails.MapReactiveUserDetailsService;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.web.server.SecurityWebFilterChain;
import org.springframework.security.web.server.authorization.AuthorizationContext;

import reactor.core.publisher.Mono;

@EnableWebFluxSecurity
class SecurityConfig {

@Bean
SecurityWebFilterChain springWebFilterChain(ServerHttpSecurity http) throws Exception {
    return http
    		.csrf().disable()
            .authorizeExchange()
            .pathMatchers(HttpMethod.GET, "/posts/**").permitAll()
            .pathMatchers(HttpMethod.DELETE, "/posts/**").hasRole("ADMIN")
            .pathMatchers("/posts/**").authenticated()
            .anyExchange().permitAll()
            .and()
            .httpBasic()
            //.pathMatchers("/users/{user}/**").access(this::currentUserMatchesPath)
            
            .and()
            .build();
}

private Mono<AuthorizationDecision> currentUserMatchesPath(Mono<Authentication> authentication, AuthorizationContext context) {
    return authentication
            .map(a -> context.getVariables().get("user").equals(a.getName()))
            .map(granted -> new AuthorizationDecision(granted));
}

@Bean
public MapReactiveUserDetailsService userDetailsRepository() {
    UserDetails rob = User.withDefaultPasswordEncoder().username("test").password("test123").roles("USER").build();
    UserDetails admin = User.withDefaultPasswordEncoder().username("admin").password("admin123").roles("USER", "ADMIN").build();
    return new MapReactiveUserDetailsService(rob, admin);
}

}

`

Any suggestion about it is more than welcome, thanks a lot !

@hantsy
Copy link
Owner

hantsy commented Nov 22, 2018
edited

@darmandovargas3 Yes, the newest Spring Security reactive added CSRF support. I will review the relative codes.

@hantsy hantsy closed this as completed in 8ed75d1 Nov 24, 2018
hellosatish added a commit to hellosatish/spring-reactive-sample that referenced this issue Dec 14, 2018
@hellosatish
pull in changes (#1)
afdd097 
* fixed a typo error

* Upgraded Spring Boot to 2.0.3

* Fix typo

* mongo transaction sample.

* added Mongo cluster docker compose yml file.

* updated the mongo init scripts.

* added initdb user and password to initialize scripts in Mongo.

* added redis messaging.

* upgraded Spring Boot 2.1.0.RC1

* fixed tests in vanilla.

* clean codes.

* init codes of Spring Data R2DBC

* added postgres db in docker-compose.yml

* fixed Repository bean discovery issue.

* added subscribe to the stream

* added init.sql into docker.

* Upgrade to Spring Boot 2.1.0.RELEASE

* fixed hantsy#7

* added @DataMongoTest example.
@hohwille hohwille mentioned this issue Dec 6, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hantsy @darmandovargas3