I am configuring a bean of type SecurityFilterChain in a very simple spring boot application with jsp .
URI's like / or /welcome should be accessible by anyone
But URI /authenticate or any other request should require authentication
Here is Security Config
@Bean
public SecurityFilterChain filterChain( HttpSecurity http , MvcRequestMatcher.Builder mvc) throws Exception {
http.csrf(AbstractHttpConfigurer::disable)
.authorizeHttpRequests(auth ->
auth.requestMatchers(mvc.pattern("/"),mvc.pattern("/welcome")).permitAll()
.anyRequest().authenticated()
)
.formLogin(Customizer.withDefaults())
.httpBasic(Customizer.withDefaults());
return http.build();
}
But it is asking me to login to every URI pattern including / and /welcome.
I have attached my sample repository on which I am facing this issue https://github.com/dv0892/Security-Sample/tree/master
Seems like permitAll() is not working. Please let me know if anything else is required
Comment From: chipbk10
I got the same issue
Comment From: marcusdacoregio
Hi, @dv0892. Have you enabled TRACE logging to check where the authentication error is happening? Have you enabled the FORWARD dispatcher type?
Comment From: chipbk10
yes. Please look at the simple code below. You can reproduce it easily.
@Configuration
@EnableWebSecurity
public class SecurityConfig {
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
return http
.csrf(CsrfConfigurer::disable)
.authorizeHttpRequests(requests -> requests
.requestMatchers("/home").permitAll()
)
.formLogin(withDefaults())
.build();
}
}
@Controller
public class AuthController {
@GetMapping("/home")
public String home() {
return "Home Page";
}
}
Comment From: marcusdacoregio
I don't see you allowing FORWARD and neither you provided any logs that can help to know what is happening. Please, try what I recommended, and, if you really believe that there is a bug in Spring Security, please create a minimal, reproducible sample and write your findings.
Comment From: chipbk10
@dv0892 has created a sample project that can reproduce this issue: https://github.com/dv0892/Security-Sample/tree/master
Can you provide the code to do the FORWARD like you mention? Thanks
Comment From: chipbk10
Even I have enabled the FORWARD Dispatcher Type, it's still not working. Enter localhost:8080/home, it still asks for login:
@Configuration
@EnableWebSecurity
public class SecurityConfig {
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
return http
.csrf(CsrfConfigurer::disable)
.authorizeHttpRequests(requests -> requests
.dispatcherTypeMatchers(DispatcherType.FORWARD, DispatcherType.ERROR).permitAll()
.requestMatchers("/home").permitAll()
.anyRequest().denyAll()
)
.formLogin(withDefaults())
.build();
}
}
@Controller
public class AuthController {
@GetMapping("/home")
public String home() {
return "Home Page";
}
}
Comment From: xtyuns
I am configuring a bean of type SecurityFilterChain in a very simple spring boot application with jsp .
URI's like
/or/welcomeshould be accessible by anyoneBut URI
/authenticateor any other request should require authenticationHere is Security Config
```java @Bean public SecurityFilterChain filterChain( HttpSecurity http , MvcRequestMatcher.Builder mvc) throws Exception {
http.csrf(AbstractHttpConfigurer::disable) .authorizeHttpRequests(auth -> auth.requestMatchers(mvc.pattern("/"),mvc.pattern("/welcome")).permitAll() .anyRequest().authenticated() ) .formLogin(Customizer.withDefaults()) .httpBasic(Customizer.withDefaults());return http.build();} ```
But it is asking me to login to every URI pattern including / and /welcome.
I have attached my sample repository on which I am facing this issue https://github.com/dv0892/Security-Sample/tree/master
Seems like permitAll() is not working. Please let me know if anything else is required
I think it's not a good idea to mix springboot and jsp together.This is also the main problem in this issue besides forward.
Comment From: chipbk10
Finally, I found the solution here: https://stackoverflow.com/questions/77331852/how-do-i-set-a-home-page-can-be-opened-by-anyone-in-spring-security
The problem is that my application file is not placed at the root package.
Comment From: marcusdacoregio
Hi, @dv0892. Your configuration should look like this:
@Bean
public SecurityFilterChain filterChain( HttpSecurity http , MvcRequestMatcher.Builder mvc) throws Exception {
http.csrf(AbstractHttpConfigurer::disable)
.authorizeHttpRequests(auth ->
auth
.dispatcherTypeMatchers(DispatcherType.FORWARD).permitAll()
.requestMatchers(mvc.pattern("/"), mvc.pattern("/welcome")).permitAll()
.anyRequest().authenticated()
)
.formLogin(Customizer.withDefaults())
.httpBasic(Customizer.withDefaults());
return http.build();
}
@Scope("prototype")
@Bean
MvcRequestMatcher.Builder mvc(HandlerMappingIntrospector introspector) {
return new MvcRequestMatcher.Builder(introspector);
}
Note that I removed the servletPath("/") from the MvcRequestMatcher.Builder bean since you want to match the default servlet instead of one mapped under /. It seems a bit weird because the error message when not using the MVC request matcher says:
This is because there is more than one mappable servlet in your servlet context: {org.apache.jasper.servlet.JspServlet=[.jspx, .jsp], org.springframework.web.servlet.DispatcherServlet=[/]}.
In 6.2, that behavior has been fixed by https://github.com/spring-projects/spring-security/issues/13850 where you can use .requestMatchers("/", "/welcome"). I'll check with @jzheaux whether that issue should be back-ported.
Then, you must allow DispatcherType.FORWARD because Spring MVC will forward the request to /WEB-INF/views/welcome.jsp.
I'll close this since this is a configuration issue and not a bug, however I'll keep this updated if we can somehow improve the misleading error message.
Comment From: marcusdacoregio
13850 has been backported via #14078
Comment From: PavelBortnovskyi
I am facing the same issue. Cannot access any of permitAll endpoints. My Security configuration:
@Bean
public SecurityFilterChain filterChain(HttpSecurity httpSec) throws Exception {
httpSec.csrf(AbstractHttpConfigurer::disable)
.authorizeHttpRequests(auth -> auth
.dispatcherTypeMatchers(DispatcherType.FORWARD).permitAll()
.requestMatchers("/api/v1/auth/login").permitAll()
.requestMatchers("/api/v1/auth/register").permitAll()
.requestMatchers("/swagger-ui/**").permitAll()
.requestMatchers("/swagger-resources/**").permitAll()
.requestMatchers("/webjars/**").permitAll()
.requestMatchers("/v2/api-docs").permitAll()
.anyRequest().authenticated())
.httpBasic(Customizer.withDefaults())
.sessionManagement(httpSecuritySessionManagementConfigurer ->
httpSecuritySessionManagementConfigurer.sessionCreationPolicy(SessionCreationPolicy.STATELESS));
//JWT token authentication
httpSec.addFilterBefore(jwtAuthFilter, UsernamePasswordAuthenticationFilter.class);
//Filter for interception of JwtAuthenticationException from jwtAuthFilter
httpSec.addFilterBefore(filterExceptionHandler, JwtAuthFilter.class);
return httpSec.build();
}
TRACE log:
2024-03-06T17:07:06.378Z DEBUG 15416 --- [nio-8080-exec-2] s.w.a.DelegatingAuthenticationEntryPoint : Trying to match using RequestHeaderRequestMatcher [expectedHeaderName=X-Requested-With, expectedHeaderValue=XMLHttpRequest] 2024-03-06T17:07:06.378Z DEBUG 15416 --- [nio-8080-exec-2] s.w.a.DelegatingAuthenticationEntryPoint : No match found. Using default entry point org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint@5251a246 2024-03-06T17:07:37.899Z TRACE 15416 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Trying to match request against DefaultSecurityFilterChain [RequestMatcher=any request, Filters=[org.springframework.security.web.session.DisableEncodeUrlFilter@d4e88cd, org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@401b7d95, org.springframework.security.web.context.SecurityContextHolderFilter@599521a8, org.springframework.security.web.header.HeaderWriterFilter@20ff6d2e, org.springframework.web.filter.CorsFilter@2529c7be, org.springframework.security.web.authentication.logout.LogoutFilter@6ec592dd, com.neo.mongocachetest.exceptions.FilterExceptionHandler@17abfbb, com.neo.mongocachetest.security.JwtAuthFilter@19ebd88c, org.springframework.security.web.authentication.www.BasicAuthenticationFilter@6d81cf40, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@21db3fcc, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@44610383, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@1de42d5b, org.springframework.security.web.session.SessionManagementFilter@3704cf67, org.springframework.security.web.access.ExceptionTranslationFilter@3337da04, org.springframework.security.web.access.intercept.AuthorizationFilter@243c9e9e]] (1/1) 2024-03-06T17:07:37.899Z DEBUG 15416 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Securing GET /swagger-ui/index.html 2024-03-06T17:07:37.899Z TRACE 15416 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Invoking DisableEncodeUrlFilter (1/15) 2024-03-06T17:07:37.899Z TRACE 15416 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Invoking WebAsyncManagerIntegrationFilter (2/15) 2024-03-06T17:07:37.899Z TRACE 15416 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Invoking SecurityContextHolderFilter (3/15) 2024-03-06T17:07:37.899Z TRACE 15416 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Invoking HeaderWriterFilter (4/15) 2024-03-06T17:07:37.899Z TRACE 15416 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Invoking CorsFilter (5/15) 2024-03-06T17:07:37.899Z TRACE 15416 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Invoking LogoutFilter (6/15) 2024-03-06T17:07:37.899Z TRACE 15416 --- [nio-8080-exec-1] o.s.s.w.a.logout.LogoutFilter : Did not match request to Or [Ant [pattern='/logout', GET], Ant [pattern='/logout', POST], Ant [pattern='/logout', PUT], Ant [pattern='/logout', DELETE]] 2024-03-06T17:07:37.899Z TRACE 15416 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Invoking FilterExceptionHandler (7/15) 2024-03-06T17:07:37.899Z TRACE 15416 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Invoking JwtAuthFilter (8/15) 2024-03-06T17:07:37.899Z TRACE 15416 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Invoking BasicAuthenticationFilter (9/15) 2024-03-06T17:07:37.899Z TRACE 15416 --- [nio-8080-exec-1] o.s.s.w.a.www.BasicAuthenticationFilter : Did not process authentication request since failed to find username and password in Basic Authorization header 2024-03-06T17:07:37.899Z TRACE 15416 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Invoking RequestCacheAwareFilter (10/15) 2024-03-06T17:07:37.899Z TRACE 15416 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Invoking SecurityContextHolderAwareRequestFilter (11/15) 2024-03-06T17:07:37.899Z TRACE 15416 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Invoking AnonymousAuthenticationFilter (12/15) 2024-03-06T17:07:37.899Z TRACE 15416 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Invoking SessionManagementFilter (13/15) 2024-03-06T17:07:37.899Z TRACE 15416 --- [nio-8080-exec-1] .s.s.w.c.SupplierDeferredSecurityContext : Created SecurityContextImpl [Null authentication] 2024-03-06T17:07:37.899Z TRACE 15416 --- [nio-8080-exec-1] o.s.s.w.a.AnonymousAuthenticationFilter : Set SecurityContextHolder to AnonymousAuthenticationToken [Principal=anonymousUser, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=127.0.0.1, SessionId=null], Granted Authorities=[ROLE_ANONYMOUS]] 2024-03-06T17:07:37.899Z DEBUG 15416 --- [nio-8080-exec-1] o.s.s.w.session.SessionManagementFilter : Request requested invalid session id ECB3065A5FFBD200FF920E6C0A1B8DCD 2024-03-06T17:07:37.899Z TRACE 15416 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Invoking ExceptionTranslationFilter (14/15) 2024-03-06T17:07:37.899Z TRACE 15416 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Invoking AuthorizationFilter (15/15) 2024-03-06T17:07:37.899Z TRACE 15416 --- [nio-8080-exec-1] estMatcherDelegatingAuthorizationManager : Authorizing SecurityContextHolderAwareRequestWrapper[ org.springframework.security.web.header.HeaderWriterFilter$HeaderWriterRequest@41209d0e] 2024-03-06T17:07:37.899Z TRACE 15416 --- [nio-8080-exec-1] estMatcherDelegatingAuthorizationManager : Checking authorization on SecurityContextHolderAwareRequestWrapper[ org.springframework.security.web.header.HeaderWriterFilter$HeaderWriterRequest@41209d0e] using org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer$$Lambda/0x000001a81465bb40@427f9bc8 2024-03-06T17:07:37.899Z DEBUG 15416 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Secured GET /swagger-ui/index.html 2024-03-06T17:07:37.901Z TRACE 15416 --- [nio-8080-exec-1] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match request to [Is Secure] 2024-03-06T17:07:37.901Z TRACE 15416 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Trying to match request against DefaultSecurityFilterChain [RequestMatcher=any request, Filters=[org.springframework.security.web.session.DisableEncodeUrlFilter@d4e88cd, org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@401b7d95, org.springframework.security.web.context.SecurityContextHolderFilter@599521a8, org.springframework.security.web.header.HeaderWriterFilter@20ff6d2e, org.springframework.web.filter.CorsFilter@2529c7be, org.springframework.security.web.authentication.logout.LogoutFilter@6ec592dd, com.neo.mongocachetest.exceptions.FilterExceptionHandler@17abfbb, com.neo.mongocachetest.security.JwtAuthFilter@19ebd88c, org.springframework.security.web.authentication.www.BasicAuthenticationFilter@6d81cf40, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@21db3fcc, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@44610383, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@1de42d5b, org.springframework.security.web.session.SessionManagementFilter@3704cf67, org.springframework.security.web.access.ExceptionTranslationFilter@3337da04, org.springframework.security.web.access.intercept.AuthorizationFilter@243c9e9e]] (1/1) 2024-03-06T17:07:37.901Z DEBUG 15416 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Securing GET /error 2024-03-06T17:07:37.901Z TRACE 15416 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Invoking DisableEncodeUrlFilter (1/15) 2024-03-06T17:07:37.901Z TRACE 15416 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Invoking WebAsyncManagerIntegrationFilter (2/15) 2024-03-06T17:07:37.901Z TRACE 15416 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Invoking SecurityContextHolderFilter (3/15) 2024-03-06T17:07:37.901Z TRACE 15416 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Invoking HeaderWriterFilter (4/15) 2024-03-06T17:07:37.901Z TRACE 15416 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Invoking CorsFilter (5/15) 2024-03-06T17:07:37.901Z TRACE 15416 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Invoking LogoutFilter (6/15) 2024-03-06T17:07:37.901Z TRACE 15416 --- [nio-8080-exec-1] o.s.s.w.a.logout.LogoutFilter : Did not match request to Or [Ant [pattern='/logout', GET], Ant [pattern='/logout', POST], Ant [pattern='/logout', PUT], Ant [pattern='/logout', DELETE]] 2024-03-06T17:07:37.901Z TRACE 15416 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Invoking FilterExceptionHandler (7/15) 2024-03-06T17:07:37.901Z TRACE 15416 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Invoking JwtAuthFilter (8/15) 2024-03-06T17:07:37.901Z TRACE 15416 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Invoking BasicAuthenticationFilter (9/15) 2024-03-06T17:07:37.901Z TRACE 15416 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Invoking RequestCacheAwareFilter (10/15) 2024-03-06T17:07:37.901Z TRACE 15416 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Invoking SecurityContextHolderAwareRequestFilter (11/15) 2024-03-06T17:07:37.901Z TRACE 15416 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Invoking AnonymousAuthenticationFilter (12/15) 2024-03-06T17:07:37.901Z TRACE 15416 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Invoking SessionManagementFilter (13/15) 2024-03-06T17:07:37.901Z TRACE 15416 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Invoking ExceptionTranslationFilter (14/15) 2024-03-06T17:07:37.901Z TRACE 15416 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Invoking AuthorizationFilter (15/15) 2024-03-06T17:07:37.901Z TRACE 15416 --- [nio-8080-exec-1] estMatcherDelegatingAuthorizationManager : Authorizing SecurityContextHolderAwareRequestWrapper[ FirewalledRequest[ org.apache.catalina.core.ApplicationHttpRequest@45b80f8a]] 2024-03-06T17:07:37.901Z TRACE 15416 --- [nio-8080-exec-1] estMatcherDelegatingAuthorizationManager : Checking authorization on SecurityContextHolderAwareRequestWrapper[ FirewalledRequest[ org.apache.catalina.core.ApplicationHttpRequest@45b80f8a]] using org.springframework.security.authorization.AuthenticatedAuthorizationManager@38b96bce 2024-03-06T17:07:37.901Z TRACE 15416 --- [nio-8080-exec-1] .s.s.w.c.SupplierDeferredSecurityContext : Created SecurityContextImpl [Null authentication] 2024-03-06T17:07:37.901Z TRACE 15416 --- [nio-8080-exec-1] o.s.s.w.a.AnonymousAuthenticationFilter : Set SecurityContextHolder to AnonymousAuthenticationToken [Principal=anonymousUser, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=127.0.0.1, SessionId=null], Granted Authorities=[ROLE_ANONYMOUS]] 2024-03-06T17:07:37.901Z TRACE 15416 --- [nio-8080-exec-1] o.s.s.w.a.ExceptionTranslationFilter : Sending AnonymousAuthenticationToken [Principal=anonymousUser, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=127.0.0.1, SessionId=null], Granted Authorities=[ROLE_ANONYMOUS]] to authentication entry point since access is denied
org.springframework.security.access.AccessDeniedException: Access Denied at org.springframework.security.web.access.intercept.AuthorizationFilter.doFilter(AuthorizationFilter.java:98) ~[spring-security-web-6.2.2.jar:6.2.2] at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.2.2.jar:6.2.2] at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:126) ~[spring-security-web-6.2.2.jar:6.2.2] at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:120) ~[spring-security-web-6.2.2.jar:6.2.2] at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.2.2.jar:6.2.2] at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:91) ~[spring-security-web-6.2.2.jar:6.2.2] at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:85) ~[spring-security-web-6.2.2.jar:6.2.2] at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.2.2.jar:6.2.2] at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:100) ~[spring-security-web-6.2.2.jar:6.2.2] at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.2.2.jar:6.2.2] at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:179) ~[spring-security-web-6.2.2.jar:6.2.2] at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.2.2.jar:6.2.2] at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63) ~[spring-security-web-6.2.2.jar:6.2.2] at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.2.2.jar:6.2.2] at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101) ~[spring-web-6.1.4.jar:6.1.4] at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.2.2.jar:6.2.2] at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101) ~[spring-web-6.1.4.jar:6.1.4] at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.2.2.jar:6.2.2] at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101) ~[spring-web-6.1.4.jar:6.1.4] at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.2.2.jar:6.2.2] at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:107) ~[spring-security-web-6.2.2.jar:6.2.2] at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:93) ~[spring-security-web-6.2.2.jar:6.2.2] at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.2.2.jar:6.2.2] at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101) ~[spring-web-6.1.4.jar:6.1.4] at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.2.2.jar:6.2.2] at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101) ~[spring-web-6.1.4.jar:6.1.4] at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.2.2.jar:6.2.2] at org.springframework.security.web.context.SecurityContextHolderFilter.doFilter(SecurityContextHolderFilter.java:82) ~[spring-security-web-6.2.2.jar:6.2.2] at org.springframework.security.web.context.SecurityContextHolderFilter.doFilter(SecurityContextHolderFilter.java:69) ~[spring-security-web-6.2.2.jar:6.2.2] at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.2.2.jar:6.2.2] at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101) ~[spring-web-6.1.4.jar:6.1.4] at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.2.2.jar:6.2.2] at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101) ~[spring-web-6.1.4.jar:6.1.4] at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.2.2.jar:6.2.2] at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:233) ~[spring-security-web-6.2.2.jar:6.2.2] at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:191) ~[spring-security-web-6.2.2.jar:6.2.2] at org.springframework.web.filter.CompositeFilter$VirtualFilterChain.doFilter(CompositeFilter.java:113) ~[spring-web-6.1.4.jar:6.1.4] at org.springframework.web.servlet.handler.HandlerMappingIntrospector.lambda$createCacheFilter$3(HandlerMappingIntrospector.java:195) ~[spring-webmvc-6.1.4.jar:6.1.4] at org.springframework.web.filter.CompositeFilter$VirtualFilterChain.doFilter(CompositeFilter.java:113) ~[spring-web-6.1.4.jar:6.1.4] at org.springframework.web.filter.CompositeFilter.doFilter(CompositeFilter.java:74) ~[spring-web-6.1.4.jar:6.1.4] at org.springframework.security.config.annotation.web.configuration.WebMvcSecurityConfiguration$CompositeFilterChainProxy.doFilter(WebMvcSecurityConfiguration.java:230) ~[spring-security-config-6.2.2.jar:6.2.2] at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:352) ~[spring-web-6.1.4.jar:6.1.4] at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:268) ~[spring-web-6.1.4.jar:6.1.4] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174) ~[tomcat-embed-core-10.1.19.jar:10.1.19] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) ~[tomcat-embed-core-10.1.19.jar:10.1.19] at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101) ~[spring-web-6.1.4.jar:6.1.4] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174) ~[tomcat-embed-core-10.1.19.jar:10.1.19] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) ~[tomcat-embed-core-10.1.19.jar:10.1.19] at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:642) ~[tomcat-embed-core-10.1.19.jar:10.1.19] at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:410) ~[tomcat-embed-core-10.1.19.jar:10.1.19] at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:340) ~[tomcat-embed-core-10.1.19.jar:10.1.19] at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:277) ~[tomcat-embed-core-10.1.19.jar:10.1.19] at org.apache.catalina.core.StandardHostValve.custom(StandardHostValve.java:362) ~[tomcat-embed-core-10.1.19.jar:10.1.19] at org.apache.catalina.core.StandardHostValve.status(StandardHostValve.java:222) ~[tomcat-embed-core-10.1.19.jar:10.1.19] at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:151) ~[tomcat-embed-core-10.1.19.jar:10.1.19] at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93) ~[tomcat-embed-core-10.1.19.jar:10.1.19] at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) ~[tomcat-embed-core-10.1.19.jar:10.1.19] at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344) ~[tomcat-embed-core-10.1.19.jar:10.1.19] at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:391) ~[tomcat-embed-core-10.1.19.jar:10.1.19] at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63) ~[tomcat-embed-core-10.1.19.jar:10.1.19] at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:896) ~[tomcat-embed-core-10.1.19.jar:10.1.19] at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1744) ~[tomcat-embed-core-10.1.19.jar:10.1.19] at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52) ~[tomcat-embed-core-10.1.19.jar:10.1.19] at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191) ~[tomcat-embed-core-10.1.19.jar:10.1.19] at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) ~[tomcat-embed-core-10.1.19.jar:10.1.19] at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:63) ~[tomcat-embed-core-10.1.19.jar:10.1.19] at java.base/java.lang.Thread.run(Thread.java:1583) ~[na:na]
Comment From: drakgoku
I have the same problem. There is a specific type of configuration that causes the error to occur. This is like searching for a pin in a field of straw. I would ask you to reopen the thread.
Although if it remains closed it is less work to do. This option sounds better.
By the way, with error 999. Like looking for a pin.
Comment From: baiglin
@drakgoku Maybe check responses in https://github.com/spring-projects/spring-security/issues/10587
Comment From: Vishal-Bala907
I got the same problem with this code
security.authorizeHttpRequests((req) -> req.requestMatchers("/").permitAll()
.requestMatchers("/user/**").hasAnyRole("ADMIN", "USER").anyRequest().authenticated())
.csrf(csrf -> csrf.disable()).formLogin(Customizer.withDefaults());
return security.build();
then i just added the
.dispatcherTypeMatchers(DispatcherType.FORWARD, DispatcherType.ERROR).permitAll()
line, and after that my problem was solved.
security.authorizeHttpRequests((req) -> req.requestMatchers("/").permitAll()
.dispatcherTypeMatchers(DispatcherType.FORWARD, DispatcherType.ERROR).permitAll()
.requestMatchers("/user/").hasAnyRole("ADMIN", "USER").anyRequest().authenticated())
.csrf(csrf -> csrf.disable()).formLogin(Customizer.withDefaults());
Another solution is, add the spring security dependency when you are creating the project not after creating the project