-
Notifications
You must be signed in to change notification settings - Fork 5.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
After adding custom filters, permitAll() does not work #4368
Comments
@redbrickss I had a similar issue with : String authorization = servletRequest.getHeader("Authorization");
if (authorization != null) {
SecurityContextHolder.getContext().setAuthentication(new JWTAuthentication(authorization.replaceAll("Bearer ", "")));
} /* no else case */ I fixed it with : String authorization = servletRequest.getHeader("Authorization");
if (authorization != null) {
SecurityContextHolder.getContext().setAuthentication(new JWTAuthentication(authorization.replaceAll("Bearer ", "")));
} else {
SecurityContextHolder.getContext().setAuthentication(null);
} Not sure why the context is not refreshed between requests. |
I am facing the same issue :| tried all possible combinations but it seems like after custom filter it doesnt work at all. |
#Update: http.csrf()
.disable().antMatcher("<secure patth>/**").
authorizeRequests().
anyRequest().
authenticated().and()
.addFilterBefore(new AuthenticationFilter(), UsernamePasswordAuthenticationFilter.class)
.authenticationProvider(authProvider) |
@siddhiparkar151992 I'm glad you were able to solve this. As an FYI, there is no need for http
.csrf().disable()
.authorizeRequests()
.anyRequest().authenticated()
.and()
.addFilterBefore(new AuthenticationFilter(), UsernamePasswordAuthenticationFilter.class)
.authenticationProvider(authProvider) PS: You can use fenced code blocks for formatting code. For example:
will render as System.out.println("hi");
System.out.println("there"); |
To anyone still having an issue, it is difficult to reproduce the issue if you have custom code (i.e. a custom authentication filter) without posting it. Please provide a complete sample to reproduce the issue. |
Another way to solve the problem is ignoring the URL and if possible with the respective HTTP method overriding the method void configure (WebSecurity web) {} as bellow |
I am facing similar issues where i have custom filter for JWT validation and also have configured the web.ignoring in place but still the request goes into filter http.csrf().disable().authorizeRequests().antMatchers(AUTH_WHITELIST).permitAll().and().authorizeRequests().anyRequest().authenticated().and().requestMatchers().antMatchers(gateConfig.getResource()).and().addFilterAfter(new JWTRequestFilter(), UsernamePasswordAuthenticationFilter.class); |
@davi004 i think you need to remove the Another think you need to add your |
Things essentially happen in this order:
Step 2 is where a Note that just because a request is public, that doesn't mean the response won't be rendered differently if there is a user in context. Thus, the separation of these two concerns is important. It's already been stated that |
Wow that worked like magic, thank you! |
@jzheaux Thanks for explaining, your comment was helpful in understanding the steps involved. I have not been able to find an example for what a
In other words, I have a URL where I'd like to avoid having authentication or authorization checks be performed (including not running my custom filter, which is an authentication filter), but I'd like to have the Step 1 checks (secure headers, etc) and therefore I can't just use Is there any documentation or examples that you know off? |
Hi, @sangonzal. Usually, the best way is to ensure that your custom filter simply skips any request it doesn't care about. This is what several of the Spring Security filters do, like You can achieve that using the public class MyCustomFilter extends OncePerRequestFilter {
private final RequestMatcher requestMatcher = new AntPathRequestMatcher("/relevant/paths/**");
// ...
public void doFilterInternal(...) {
if (this.requestMatcher.matches(request)) {
// ... this filter should run
}
chain.doFilter(request, response);
}
} There are several implementations of However, if you have a use case where you have endpoints that you don't want Spring Security to authenticate or authorize, but still want the security headers, you can register two @Configuration
@Order(1)
public class OnlyHeadersConfig extends WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) {
http
.antMatchers("/special/endpoints/**")
.authorizeRequests((authz) -> authz.anyRequest().permitAll())
.anonymous();
}
}
@Configuration
@Order(2)
public class MainSecurityConfig extends WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) {
http
.authorizeRequests(authz -> authz.anyRequest().authenticated())
.addFilterAt(new MyCustomFilter(), UsernamePasswordAuthenticationFilter.class);
}
} The first config is only applied to the |
@jzheaux Thanks, breaking up the configuration solves the issue. Follow up question creation of a Do you if there are anyways of having |
I'm glad that worked for you, @sangonzal. At this point, I think that we are getting a bit off the topic of the ticket here, which will make it trickier for community members who came for the specific issue found in this ticket. I think your question is a good one and would be better answered via the StackOverflow community. Please consider posting the question there, and I'm happy to take a look and discuss it further. |
For me it worked only with following code as I just wanted secured API to go through the custom filter and follow the logic there. http
.csrf()
.disable().antMatcher("<Secured API>/**").
authorizeRequests()
.anyRequest().permitAll()
.and()
.addFilterAfter(new WellnessAuthFilter(), BasicAuthenticationFilter.class);``` |
not solving |
Summary
After adding custom JWT filter for authentication, all paths with permitAll() are still passing through the custom JWT filter.
So, for example if I have these URI's
/api/users/{id}/topic/{name} (This has to be available for all users. permitAll())
and
/api/users/** (other multiple ant matchers URI which are authenticated())
So, If I have a custom JWT filter with pattern matching URI as (/api/users/**) then why is this filter enabled for permitAll (/api/users/{id}/topic/{name} URI)? It doesn't have jwt token.
Is this a bug?
Do I have to keep authenticated URI's with /a/api/user/** and use the pattern for the filter?
and /api/users/** with permitAll()? Looks like a bad design to me.
Actual Behavior
permitAll() URI's are passing through custom filter.
Expected Behavior
permitAll() URI's shouldn't pass through custom filter.
Configuration
Version
Latest version
Sample
The text was updated successfully, but these errors were encountered: