Describe the bug
Request Matcher are not working with hasAnyAuthority & hasRole
I have Two ROLES
- ks_admin
- ks_user
ks_user must not be allowed to do POST request But both are able to call post method to endpoints
@Configuration
@EnableWebSecurity
public class Config {
private String KS_ADMIN = "ks_admin";
private String KS_USER = "ks_user";
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.authorizeHttpRequests()
.requestMatchers(HttpMethod.GET,"*/**").hasAuthority(KS_ADMIN)
.requestMatchers(HttpMethod.POST,"*/**").hasAnyAuthority(KS_ADMIN)
.anyRequest().authenticated()
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.cors()
.and()
.csrf()
.disable()
.oauth2ResourceServer()
.jwt();
return http.build();
}
}
IG requestMatchers are not matching patterns This is very dangerous if a user with no access can perform delete or update
To Reproduce Spring security version 6.0.2
Expected behavior Only KS_ADMIN should be Allowed to do POST request to backend Other Roles are not allowed to do so (KS_USER)
Comment From: marcusdacoregio
Hi @engineerscodes,
I have the following configuration in my app:
@Configuration
@EnableWebSecurity
public class SecurityConfig {
private String KS_ADMIN = "ks_admin";
private String KS_USER = "ks_user";
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.authorizeHttpRequests()
.requestMatchers(HttpMethod.GET,"*/**").hasAuthority(KS_ADMIN)
.requestMatchers(HttpMethod.POST,"*/**").hasAuthority(KS_ADMIN)
.anyRequest().authenticated()
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.csrf().disable()
.httpBasic();
return http.build();
}
@Bean
public UserDetailsService userDetailsService() {
UserDetails admin = User.withDefaultPasswordEncoder()
.username("admin")
.password("password")
.authorities(KS_ADMIN).build();
UserDetails user = User.withDefaultPasswordEncoder()
.username("user")
.password("password")
.authorities(KS_USER).build();
return new InMemoryUserDetailsManager(admin, user);
}
}
And it works just fine. Can you provide a minimal, reproducible sample where we can replay the behavior consistently?
Comment From: engineerscodes
Hey you can try this sample poc of mine https://github.com/engineerscodes/Khonshu
Comment From: engineerscodes
I am using 0auth 2 with keycloak
Comment From: engineerscodes
Refer : https://www.baeldung.com/spring-boot-keycloak#securityconfig It looks like everything worked fine with antmachers
Comment From: marcusdacoregio
That's too much going on in that sample that makes it hard to set up and debug.
It looks like everything worked fine with antmachers
You can still use antMatchers to check if it is working, just use requestMatchers(org.springframework.security.web.util.matcher.AntPathRequestMatcher#antMatcher(java.lang.String)).
I would recommend that the next step for you to figure out what is happening is to add logging.level.org.springframework.security=TRACE to your application.properties and analyze the logs.
Comment From: engineerscodes
@marcusdacoregio Thank you for helping ,I found a work Around