With 2.7.x it works to call GET, POST, PUT, DELETE .. on http://localhost/open/whatever:
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable().cors().and()
.authorizeRequests(auth -> auth
.antMatchers("/open/**").permitAll()
.antMatchers("/closed/**").authenticated()
.anyRequest().denyAll())
.oauth2ResourceServer().jwt();
}
}
But in 3.0 this does only work for GET requests. All other types of requests fail with 403 Forbidden:
@Configuration
@EnableWebSecurity
public class SecurityConfig {
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
System.out.println("we configure securityfilterchain");
return http.authorizeHttpRequests(auth -> {
auth.requestMatchers("/open/**").permitAll();
auth.requestMatchers("/closed/**").authenticated();
auth.anyRequest().denyAll();
}).oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt).build();
}
}
I put a sample project on my github account: https://github.com/hubertvolz/oauthnew and a (working) old implementation here: https://github.com/hubertvolz/oauthold.
Comment From: hubertvolz
This was my fault: Adding csrf().disable() fixed the issue. Sorry.
@Configuration
@EnableWebSecurity
public class SecurityConfig {
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
System.out.println("we configure securityfilterchain");
return http.authorizeHttpRequests(auth -> {
auth.requestMatchers("/open/**").permitAll();
auth.requestMatchers("/closed/**").authenticated();
auth.anyRequest().denyAll();
}).csrf().disable().oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt).build();
}
}