Describe the bug User stays in a page idle until the session is expired. When he refreshes the page, the system redirects him to login page. Once he logged in, the system redirects him to one of the static resource and prompt for download.
To Reproduce
Since #10938, I replaced web.ignoring().requestMatchers() with http.authorizeHttpRequests().requestMatchers().permitAll() and this issue occurred.
Expected behavior The user should be redirected to the protected page instead of the unprotected static resource.
Sample My SecurityConfig is as follow:
@Bean
SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http) throws Exception {
return http
.authorizeHttpRequests(authorize -> authorize
.requestMatchers(PathRequest.toStaticResources().atCommonLocations()).permitAll()
.requestMatchers("/login").permitAll()
.requestMatchers("/", "index.html").permitAll()
.requestMatchers("/*.css", "/*.js", "/*.png", "/assets/*").permitAll()
.anyRequest().authenticated()
)
.csrf(csrf -> csrf
.csrfTokenRepository(csrfTokenRepository())
.csrfTokenRequestHandler(csrfTokenRequestHandler())
)
.formLogin(form -> form
.loginPage("/login")
.loginProcessingUrl("/auth/login")
.successHandler((request, response, authentication) -> response.setStatus(SC_NO_CONTENT))
.permitAll()
)
.oauth2Login(oauth2 -> oauth2
.loginPage("/login")
.authorizationEndpoint(endpoint -> endpoint
.authorizationRequestResolver(pkceAuthorizationRequestResolver()))
.permitAll()
)
.logout(logout -> logout
.logoutUrl("/auth/logout")
.permitAll()
)
.exceptionHandling(exception -> exception
.defaultAuthenticationEntryPointFor(new HttpStatusEntryPoint(UNAUTHORIZED),
new AntPathRequestMatcher("/api/**"))
)
.build();
}
Comment From: maokejackson
False alarm