search

spring-projects / spring-security

Spring Security
http://spring.io/projects/spring-security
Apache License 2.0
8.45k stars 5.76k forks source link

Return 401 code even with the correct settings #15009

Closed JunggiKim closed 1 week ago

JunggiKim commented 1 week ago

Describe the bug Return 401 code and response body bin value even though permission was granted

To Reproduce Attempt to send http request to allowed resource Expected behavior Allow http requests and don't even see the default login page.

Sample

@Bean public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {

 http
            .formLogin().disable() 
            .httpBasic().disable() 
            .csrf(csrf -> csrf.disable()) 
            .headers().frameOptions().disable()
            .and()

            .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
            .and()

            .authorizeRequests()

            .antMatchers("/","/css/**","/images/**","/js/**","/favicon.ico","/h2-console/**").permitAll()
            .antMatchers("/sign-up").permitAll() 
            .antMatchers("/jwt-test").permitAll() 
            .antMatchers("/error").permitAll() 
            .anyRequest().authenticated()

            .oauth2Login()
            .successHandler(oAuth2LoginSuccessHandler) 
            .failureHandler(oAuth2LoginFailureHandler) 
            .userInfoEndpoint().userService(customOAuth2UserService); 

    http.addFilterAfter(customJsonLoginFilter(), LogoutFilter.class);
    http.addFilterBefore(jwtAuthenticationProcessingFilter(), CustomJsonLoginFilter.class);
    return http.build();
}

----That's the setting right now---- ------- Below is a spring security log taken in debug mode ------

2024-05-04 21:35:25.557 DEBUG 16184 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : Securing POST /sign-up 2024-05-04 21:35:25.558 DEBUG 16184 --- [nio-8080-exec-3] s.s.w.c.SecurityContextPersistenceFilter : Set SecurityContextHolder to empty SecurityContext 2024-05-04 21:35:25.558 DEBUG 16184 --- [nio-8080-exec-3] o.s.security.web.csrf.CsrfFilter : Invalid CSRF token found for http://localhost:8080/sign-up 2024-05-04 21:35:25.558 DEBUG 16184 --- [nio-8080-exec-3] o.s.s.w.access.AccessDeniedHandlerImpl : Responding with 403 status code 2024-05-04 21:35:25.558 DEBUG 16184 --- [nio-8080-exec-3] w.c.HttpSessionSecurityContextRepository : Did not store empty SecurityContext 2024-05-04 21:35:25.558 DEBUG 16184 --- [nio-8080-exec-3] w.c.HttpSessionSecurityContextRepository : Did not store empty SecurityContext 2024-05-04 21:35:25.558 DEBUG 16184 --- [nio-8080-exec-3] s.s.w.c.SecurityContextPersistenceFilter : Cleared SecurityContextHolder to complete request 2024-05-04 21:35:25.558 DEBUG 16184 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : Securing POST /error 2024-05-04 21:35:25.558 DEBUG 16184 --- [nio-8080-exec-3] s.s.w.c.SecurityContextPersistenceFilter : Set SecurityContextHolder to empty SecurityContext 2024-05-04 21:35:25.558 DEBUG 16184 --- [nio-8080-exec-3] o.s.s.w.a.AnonymousAuthenticationFilter : Set SecurityContextHolder to anonymous SecurityContext 2024-05-04 21:35:25.558 DEBUG 16184 --- [nio-8080-exec-3] o.s.s.w.a.i.FilterSecurityInterceptor : Failed to authorize filter invocation [POST /error] with attributes [authenticated] 2024-05-04 21:35:25.558 DEBUG 16184 --- [nio-8080-exec-3] s.w.a.DelegatingAuthenticationEntryPoint : Trying to match using And [Not [RequestHeaderRequestMatcher [expectedHeaderName=X-Requested-With, expectedHeaderValue=XMLHttpRequest]], MediaTypeRequestMatcher [contentNegotiationStrategy=org.springframework.web.accept.HeaderContentNegotiationStrategy@2ad23ed, matchingMediaTypes=[application/xhtml+xml, image/, text/html, text/plain], useEquals=false, ignoredMediaTypes=[/]]] 2024-05-04 21:35:25.559 DEBUG 16184 --- [nio-8080-exec-3] s.w.a.DelegatingAuthenticationEntryPoint : Trying to match using Or [RequestHeaderRequestMatcher [expectedHeaderName=X-Requested-With, expectedHeaderValue=XMLHttpRequest], And [Not [MediaTypeRequestMatcher [contentNegotiationStrategy=org.springframework.web.accept.HeaderContentNegotiationStrategy@1e1b110d, matchingMediaTypes=[text/html], useEquals=false, ignoredMediaTypes=[]]], MediaTypeRequestMatcher [contentNegotiationStrategy=org.springframework.web.accept.HeaderContentNegotiationStrategy@1e1b110d, matchingMediaTypes=[application/atom+xml, application/x-www-form-urlencoded, application/json, application/octet-stream, application/xml, multipart/form-data, text/xml], useEquals=false, ignoredMediaTypes=[/]]], MediaTypeRequestMatcher [contentNegotiationStrategy=org.springframework.web.accept.HeaderContentNegotiationStrategy@1e1b110d, matchingMediaTypes=[/*], useEquals=true, ignoredMediaTypes=[]]] 2024-05-04 21:35:25.559 DEBUG 16184 --- [nio-8080-exec-3] s.w.a.DelegatingAuthenticationEntryPoint : Match found! Executing org.springframework.security.web.authentication.DelegatingAuthenticationEntryPoint@29a50a11 2024-05-04 21:35:25.559 DEBUG 16184 --- [nio-8080-exec-3] s.w.a.DelegatingAuthenticationEntryPoint : Trying to match using RequestHeaderRequestMatcher [expectedHeaderName=X-Requested-With, expectedHeaderValue=XMLHttpRequest] 2024-05-04 21:35:25.559 DEBUG 16184 --- [nio-8080-exec-3] s.w.a.DelegatingAuthenticationEntryPoint : No match found. Using default entry point org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint@6ef5ba70 2024-05-04 21:35:25.559 DEBUG 16184 --- [nio-8080-exec-3] w.c.HttpSessionSecurityContextRepository : Did not store empty SecurityContext 2024-05-04 21:35:25.559 DEBUG 16184 --- [nio-8080-exec-3] w.c.HttpSessionSecurityContextRepository : Did not store empty SecurityContext 2024-05-04 21:35:25.559 DEBUG 16184 --- [nio-8080-exec-3] s.s.w.c.SecurityContextPersistenceFilter : Cleared SecurityContextHolder to complete request

.dispatcherTypeMatchers(DispatcherType.FORWARD,DispatcherType.ERROR).permitAll() 
    @SpringBootApplication(scanBasePackages = "chipbk10.com.example.authservices")

  When I did something like this, the Using generated security password: window came up in the log and I was able to log in, but the resource I allowed still doesn't get a request and only comes back to the 401 code.
sjohnr commented 1 week ago

Thanks for getting in touch @JunggiKim, but it feels like this is a question that would be better suited to Stack Overflow. We prefer to use GitHub issues only for bugs and enhancements. Feel free to update this issue with a link to the re-posted question (so that other people can find it) or add a minimal sample that reproduces this issue if you feel this is a genuine bug.

Having said that, your logs indicate "Invalid CSRF token found for http://localhost:8080/sign-up" and you have not permitted the ERROR dispatch for anonymous users via .dispatcherTypeMatchers(DispatcherType.ERROR).permitAll(), hence the 401. I'm going to close this issue.