Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OAuth2 login redirects user to unprotected static resource instead of the protected page #14700

Closed
maokejackson opened this issue Mar 7, 2024 · 1 comment
Closed

OAuth2 login redirects user to unprotected static resource instead of the protected page #14700

maokejackson opened this issue Mar 7, 2024 · 1 comment
Labels
status: waiting-for-triage An issue we've not yet triaged type: bug A general bug

Comments

@maokejackson
Copy link

Describe the bug
User stays in a page idle until the session is expired. When he refreshes the page, the system redirects him to login page. Once he logged in, the system redirects him to one of the static resource and prompt for download.

To Reproduce
Since #10938, I replaced web.ignoring().requestMatchers() with http.authorizeHttpRequests().requestMatchers().permitAll() and this issue occurred.

Expected behavior
The user should be redirected to the protected page instead of the unprotected static resource.

Sample
My SecurityConfig is as follow:

@Bean
SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http) throws Exception {
    return http
            .authorizeHttpRequests(authorize -> authorize
                    .requestMatchers(PathRequest.toStaticResources().atCommonLocations()).permitAll()
                    .requestMatchers("/login").permitAll()
                    .requestMatchers("/", "index.html").permitAll()
                    .requestMatchers("/*.css", "/*.js", "/*.png", "/assets/*").permitAll()
                    .anyRequest().authenticated()
            )
            .csrf(csrf -> csrf
                    .csrfTokenRepository(csrfTokenRepository())
                    .csrfTokenRequestHandler(csrfTokenRequestHandler())
            )
            .formLogin(form -> form
                    .loginPage("/login")
                    .loginProcessingUrl("/auth/login")
                    .successHandler((request, response, authentication) -> response.setStatus(SC_NO_CONTENT))
                    .permitAll()
            )
            .oauth2Login(oauth2 -> oauth2
                    .loginPage("/login")
                    .authorizationEndpoint(endpoint -> endpoint
                            .authorizationRequestResolver(pkceAuthorizationRequestResolver()))
                    .permitAll()
            )
            .logout(logout -> logout
                    .logoutUrl("/auth/logout")
                    .permitAll()
            )
            .exceptionHandling(exception -> exception
                    .defaultAuthenticationEntryPointFor(new HttpStatusEntryPoint(UNAUTHORIZED),
                            new AntPathRequestMatcher("/api/**"))
            )
            .build();
}
@maokejackson maokejackson added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Mar 7, 2024
@maokejackson
Copy link
Author

False alarm

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
status: waiting-for-triage An issue we've not yet triaged type: bug A general bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@maokejackson