search

spring-projects / spring-security

Spring Security
http://spring.io/projects/spring-security
Apache License 2.0
8.45k stars 5.76k forks source link

http.authorizeHttpRequests((authorize) -> authorize.requestMatchers( "/websocket/**").permitAll()); Not working #14971

Closed charankavuri closed 1 week ago

charankavuri commented 3 weeks ago

Describe the bug

When adding the websocket or any requestMatcher as an exception (white listing) in the SecurityFilterChain, the /websocket or the Options call are returns a 401. This issue has occurred after migrating to Spring Boot 3 and changing antMatchers to requestMatchers.

  @Bean
   SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
    for (String issuerUri : issuerUris) {
        addManager(authenticationManagers, issuerUri);
    }
    var authenticationManagerResolver = new JwtIssuerAuthenticationManagerResolver(authenticationManagers::get);

    http
        .csrf(AbstractHttpConfigurer::disable) // deepcode ignore DisablesCSRFProtection: This is a stateless service so CSRF is not possible, and we don't want to introduce a CSRF token just to have one.
        .sessionManagement(sessionManagement -> sessionManagement.sessionCreationPolicy(STATELESS))
        .headers(headers -> headers.frameOptions(HeadersConfigurer.FrameOptionsConfig::deny))
        .oauth2ResourceServer(oauth2 -> oauth2
            .authenticationManagerResolver(authenticationManagerResolver)
        )
        .authorizeHttpRequests(authorize -> authorize
            .requestMatchers( "/websocket/**").permitAll()
            .requestMatchers(HttpMethod.OPTIONS, "/**").permitAll()
            .anyRequest().authenticated()
        )
        .oauth2ResourceServer(oauth2 -> oauth2
            .authenticationManagerResolver(authenticationManagerResolver)
        );

    return http.build();
}

Expected behavior

Should be able to access /websocket

jzheaux commented 3 weeks ago

Hi, @charankavuri, thanks for reaching out. Are you able to submit a minimal sample that reproduces the issue?

spring-projects-issues commented 2 weeks ago

If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.

spring-projects-issues commented 1 week ago

Closing due to lack of requested feedback. If you would like us to look at this issue, please provide the requested information and we will re-open the issue.