Describe the bug
When adding the websocket or any requestMatcher as an exception (white listing) in the SecurityFilterChain, the /websocket or the Options call are returns a 401. This issue has occurred after migrating to Spring Boot 3 and changing antMatchers to requestMatchers.
@Bean
SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
for (String issuerUri : issuerUris) {
addManager(authenticationManagers, issuerUri);
}
var authenticationManagerResolver = new JwtIssuerAuthenticationManagerResolver(authenticationManagers::get);
http
.csrf(AbstractHttpConfigurer::disable) // deepcode ignore DisablesCSRFProtection: This is a stateless service so CSRF is not possible, and we don't want to introduce a CSRF token just to have one.
.sessionManagement(sessionManagement -> sessionManagement.sessionCreationPolicy(STATELESS))
.headers(headers -> headers.frameOptions(HeadersConfigurer.FrameOptionsConfig::deny))
.oauth2ResourceServer(oauth2 -> oauth2
.authenticationManagerResolver(authenticationManagerResolver)
)
.authorizeHttpRequests(authorize -> authorize
.requestMatchers( "/websocket/**").permitAll()
.requestMatchers(HttpMethod.OPTIONS, "/**").permitAll()
.anyRequest().authenticated()
)
.oauth2ResourceServer(oauth2 -> oauth2
.authenticationManagerResolver(authenticationManagerResolver)
);
return http.build();
}
Expected behavior
Should be able to access /websocket
Comment From: jzheaux
Hi, @charankavuri, thanks for reaching out. Are you able to submit a minimal sample that reproduces the issue?
Comment From: spring-projects-issues
If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.
Comment From: spring-projects-issues
Closing due to lack of requested feedback. If you would like us to look at this issue, please provide the requested information and we will re-open the issue.