Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MVC Matcher rules that worked in Spring Security 5.7.6 don't work in 6.0.1 #12463

Closed
mklinkj opened this issue Dec 25, 2022 · 4 comments
Closed

MVC Matcher rules that worked in Spring Security 5.7.6 don't work in 6.0.1 #12463

mklinkj opened this issue Dec 25, 2022 · 4 comments
Assignees
@jzheaux
Labels
for: stackoverflow A question that's better suited to stackoverflow.com in: config An issue in spring-security-config

Comments

@mklinkj
Copy link

mklinkj commented Dec 25, 2022
edited

Hello.

MVC Matcher rules that worked in Spring Security 5.7.6 don't work in 6.0.1.

Spring Security 5.7.6 configuration (Spring Boot 2.7.7 environment)

  • Configuration

        http.authorizeHttpRequests() //
        .mvcMatchers("/hello")
        .authenticated();

  • Test code

      // HTTP 200 Response
  @Test
  @WithUserDetails("mklinkj")
  void testCallingHelloVariationWithAuthentication() throws Exception {
    mvc.perform(get("/hello/")) //
        .andExpect(status().isOk());
  }

Spring Security 6.0.1 configuration (Spring Boot 3.0.1 environment)

  • Configuration

        http.authorizeHttpRequests() //
        .requestMatchers("/hello")
        .authenticated();

  • Test code

      // HTTP 403 Response
  @Test
  @WithUserDetails("mklinkj")
  void testCallingHelloVariationWithAuthentication() throws Exception {
    mvc.perform(get("/hello/")) //
        .andExpect(status().isForbidden());
  }

As above, I expected 200, but I get 403 response in Spring Security 6.0.1 environment.

I don't think I did anything wrong, but I shared it because I didn't know if it was a bug.

Thank you.
@mklinkj mklinkj added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Dec 25, 2022
@dbelob dbelob mentioned this issue Jan 2, 2023
Closed
@jzheaux
Copy link
Contributor

jzheaux commented Jan 3, 2023

The reason is that in 6.0, the authorization filter is run for all dispatcher types, including FORWARD. This means that the JSP that is forwarded to also needs to be permitted.

You can achieve this by permitting FORWARDs:

http.authorizeHttpRequests((authorize) -> authorize
    .dispatcherTypeMatchers(DispatcherType.FORWARD).permitAll()
    // ... the rest of your authorization rules
)

For more details, you can see the section about Spring MVC in the migration guide.

@jzheaux jzheaux closed this as completed Jan 3, 2023
@jzheaux jzheaux added in: config An issue in spring-security-config for: stackoverflow A question that's better suited to stackoverflow.com and removed status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Jan 3, 2023
@jzheaux jzheaux self-assigned this Jan 3, 2023
@mklinkj
Copy link
Author

mklinkj commented Jan 4, 2023
edited

Hello. Thank you for answer.

However, even if I set the FORWARD permit setting, it still returns a 403 response.

  • Configuration Class

    http.authorizeHttpRequests(
        authorize ->
            authorize
                // .shouldFilterAllDispatcherTypes(false) // Even adding this setting had no effect.
                .dispatcherTypeMatchers(DispatcherType.FORWARD)
                .permitAll()
                .requestMatchers("/hello")
                .authenticated());

  • REST Controller Method

      @GetMapping({"/hello"})
  public String hello() {
    return "Hello!";
  }

  • Test Code

      @Test
  @WithUserDetails("mklinkj")
  void testCallingHelloVariationWithAuthentication() throws Exception {
    mvc.perform(get("/hello/")) //
        .andExpect(status().isOk()); // Test failed with 403 response.
  }

I'm not sure what the cause is.

I'll try to find out more slowly. thank you

@its-felix
Copy link

Adding dispatcherTypeMatchers configuration worked for me.

I quoted your response in here ( @jzheaux ):
https://stackoverflow.com/a/75012896/4515989

@mklinkj
Copy link
Author

mklinkj commented Jan 7, 2023

hello.

I've solved the problem.

It was not related to Spring Security.

In Spring 6 MVC, trailing slashes in URLs are not automatically handled.

After adding the following settings the test was successful.

@Configuration
public class WebMvcConfig implements WebMvcConfigurer {
   @Override
   public void configurePathMatch(PathMatchConfigurer configurer) {
     configurer.setUseTrailingSlashMatch(true);
   }
}

Thank you all.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jzheaux jzheaux

Labels
for: stackoverflow A question that's better suited to stackoverflow.com in: config An issue in spring-security-config
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jzheaux @its-felix @mklinkj