There is an issue With standart basic security config where all authorized users are permitted for all pages
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http.cors().and()
.authorizeHttpRequests((requests) -> requests
.requestMatchers("/").permitAll()
.anyRequest().authenticated());
return http.build();
}
But Spring gives 403 regardless enpoid or request type. According to log JWT token is parsed and decoded fine, user got authorized but still 403. I'm doing request with Postman using header authentification "Bearer ...".
Security log is the following
Trying to match request against DefaultSecurityFilterChain [RequestMatcher=any request, Filters=[org.springframework.security.web.session.DisableEncodeUrlFilter@24482a4f, org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@3140ad41, org.springframework.security.web.context.SecurityContextHolderFilter@790f4933, org.springframework.security.web.header.HeaderWriterFilter@2526d5f9, org.springframework.web.filter.CorsFilter@2e09c51, org.springframework.security.web.csrf.CsrfFilter@463a1f47, org.springframework.security.web.authentication.logout.LogoutFilter@3d605657, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@15d2ea6b, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@7ac1161f, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@3f2d2f22, org.springframework.security.web.access.ExceptionTranslationFilter@4e4c05a0, org.springframework.security.web.access.intercept.AuthorizationFilter@5b29d699]] (1/1)
2023-02-09T21:10:24.072Z DEBUG 19384 --- [nio-8081-exec-1] o.s.security.web.FilterChainProxy : Securing GET /parsing/parseAFile?filename=%22test%22
2023-02-09T21:10:24.073Z TRACE 19384 --- [nio-8081-exec-1] o.s.security.web.FilterChainProxy : Invoking DisableEncodeUrlFilter (1/12)
2023-02-09T21:10:24.073Z TRACE 19384 --- [nio-8081-exec-1] o.s.security.web.FilterChainProxy : Invoking WebAsyncManagerIntegrationFilter (2/12)
2023-02-09T21:10:24.074Z TRACE 19384 --- [nio-8081-exec-1] o.s.security.web.FilterChainProxy : Invoking SecurityContextHolderFilter (3/12)
2023-02-09T21:10:24.100Z TRACE 19384 --- [nio-8081-exec-1] o.s.security.web.FilterChainProxy : Invoking HeaderWriterFilter (4/12)
2023-02-09T21:10:24.106Z TRACE 19384 --- [nio-8081-exec-1] o.s.security.web.FilterChainProxy : Invoking CorsFilter (5/12)
2023-02-09T21:10:24.116Z TRACE 19384 --- [nio-8081-exec-1] o.s.security.web.FilterChainProxy : Invoking CsrfFilter (6/12)
2023-02-09T21:10:24.122Z TRACE 19384 --- [nio-8081-exec-1] o.s.security.web.csrf.CsrfFilter : Did not protect against CSRF since request did not match CsrfNotRequired [TRACE, HEAD, GET, OPTIONS]
2023-02-09T21:10:24.122Z TRACE 19384 --- [nio-8081-exec-1] o.s.security.web.FilterChainProxy : Invoking LogoutFilter (7/12)
2023-02-09T21:10:24.122Z TRACE 19384 --- [nio-8081-exec-1] o.s.s.w.a.logout.LogoutFilter : Did not match request to Ant [pattern='/logout', POST]
2023-02-09T21:10:24.122Z TRACE 19384 --- [nio-8081-exec-1] o.s.security.web.FilterChainProxy : Invoking RequestCacheAwareFilter (8/12)
2023-02-09T21:10:24.122Z TRACE 19384 --- [nio-8081-exec-1] o.s.s.w.s.HttpSessionRequestCache : matchingRequestParameterName is required for getMatchingRequest to lookup a value, but not provided
2023-02-09T21:10:24.122Z TRACE 19384 --- [nio-8081-exec-1] o.s.security.web.FilterChainProxy : Invoking SecurityContextHolderAwareRequestFilter (9/12)
2023-02-09T21:10:24.126Z TRACE 19384 --- [nio-8081-exec-1] o.s.security.web.FilterChainProxy : Invoking AnonymousAuthenticationFilter (10/12)
2023-02-09T21:10:24.126Z TRACE 19384 --- [nio-8081-exec-1] o.s.security.web.FilterChainProxy : Invoking ExceptionTranslationFilter (11/12)
2023-02-09T21:10:24.127Z TRACE 19384 --- [nio-8081-exec-1] o.s.security.web.FilterChainProxy : Invoking AuthorizationFilter (12/12)
2023-02-09T21:10:24.127Z TRACE 19384 --- [nio-8081-exec-1] estMatcherDelegatingAuthorizationManager : Authorizing SecurityContextHolderAwareRequestWrapper[ org.springframework.security.web.header.HeaderWriterFilter$HeaderWriterRequest@adc8e17]
2023-02-09T21:10:24.139Z TRACE 19384 --- [nio-8081-exec-1] estMatcherDelegatingAuthorizationManager : Checking authorization on SecurityContextHolderAwareRequestWrapper[ org.springframework.security.web.header.HeaderWriterFilter$HeaderWriterRequest@adc8e17] using org.springframework.security.authorization.AuthenticatedAuthorizationManager@55a93588
2023-02-09T21:10:24.140Z TRACE 19384 --- [nio-8081-exec-1] w.c.HttpSessionSecurityContextRepository : No HttpSession currently exists
2023-02-09T21:10:24.140Z TRACE 19384 --- [nio-8081-exec-1] .s.s.w.c.SupplierDeferredSecurityContext : Created SecurityContextImpl [Null authentication]
2023-02-09T21:10:24.140Z TRACE 19384 --- [nio-8081-exec-1] .s.s.w.c.SupplierDeferredSecurityContext : Created SecurityContextImpl [Null authentication]
2023-02-09T21:10:24.141Z TRACE 19384 --- [nio-8081-exec-1] o.s.s.w.a.AnonymousAuthenticationFilter : Set SecurityContextHolder to AnonymousAuthenticationToken [Principal=anonymousUser, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=127.0.0.1, SessionId=null], Granted Authorities=[ROLE_ANONYMOUS]]
2023-02-09T21:10:24.142Z TRACE 19384 --- [nio-8081-exec-1] o.s.s.w.a.ExceptionTranslationFilter : Sending AnonymousAuthenticationToken [Principal=anonymousUser, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=127.0.0.1, SessionId=null], Granted Authorities=[ROLE_ANONYMOUS]] to authentication entry point since access is denied
org.springframework.security.access.AccessDeniedException: Access Denied
Expected behavior Not getting 403 error on all paths/requests.
According to log and error code user got authorized so JWT token is parced correctly, and acces to all endpoints is granted for all authorized users, no matter role. So still that appears a bug in spring security?
Comment From: Moberaptor
Once in elementary school, I sh\t myself in French class. I didn't tell anyone about it all these years, because I was terribly embarrassed about it. Now I see how sh\t themselves in Spring Security and now I see I was shouldn't embarrassed all these years.
Comment From: engineerscodes
Any Fix same problem
Comment From: MoMutawe1
@Moberaptor @engineerscodes
try this.. it will fix the 403 error
@Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { return http.csrf().disable() .authorizeHttpRequests((requests) -> requests .requestMatchers("/").permitAll()) .build(); }
Comment From: burakbalim
I tried csrf is disabled, but I get the same error, this error occurred in version 3.0.14 while working on 2.7.0 without any changes in source code
Comment From: burakbalim
my configuration like this
@Bean
@Order(1)
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
OAuth2AuthorizationServerConfiguration.applyDefaultSecurity(http);
return http.getConfigurer(OAuth2AuthorizationServerConfigurer.class)
.oidc(withDefaults())
.and()
.oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt)
.build();
}
@Bean
@Order(2)
public SecurityFilterChain securityFilterChainAs(HttpSecurity http) throws Exception {
return http.
formLogin(AbstractHttpConfigurer::disable).
cors(AbstractHttpConfigurer::disable).
csrf(AbstractHttpConfigurer::disable).
authorizeHttpRequests(authorizationManagerRequestMatcherRegistry ->
authorizationManagerRequestMatcherRegistry.requestMatchers(oauth2RequestMatcher).authenticated().anyRequest().permitAll()).
csrf(AbstractHttpConfigurer::disable).
cors(AbstractHttpConfigurer::disable).
build();
}
Comment From: burakbalim
please help @spring-projects-issues
Comment From: burakbalim
I am digging into the problem, BearerTokenAuthenticationFilter is not invoked when I send a request with a bearer token after authenticated
Comment From: MoMutawe1
I tried csrf is disabled, but I get the same error, this error occurred in version 3.0.14 while working on 2.7.0 without any changes in source code
there was many changes happened in the Spring Security after Springboot 3 you need to check the new classes and libraries added for Springboot 3 and update your code accordingly.. I suggest you watch some videos on Spring Security 3 Spring Security 6 new changes first to get familiar with them check this: https://www.youtube.com/watch?v=R76S0tfv36w&t=2435s&ab_channel=JavaTechie
Comment From: rishiraj88
Thanks, @MoMutawe1 , for the video link. It's timely and helpful.
Comment From: marcusdacoregio
There has been probably an error in the request and it got redirected to /error, which, since Spring Security 6.0, is protected. There must be something else in the logs like a redirect to /error.
Since it's been a while this has been reported, I'll close this and, if needed, we may reopen.