DEVHIDE
Login Or Sign up

Spring security failing to block the URLs

166 Views Asked by At

I have the following scenario where I have to allow only a particular URL and deny others. But I am not sure why its allowing both URLs

@Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        try{
            return http
                    .requestMatcher(new AntPathRequestMatcher("/RemoteHandlerServices/Handle"))
                        .authorizeHttpRequests(r -> r
                            .antMatchers("/RemoteHandlerServices/Handle").authenticated())
                    .requestMatcher(new AntPathRequestMatcher("/OtherHandlerServices/Test"))
                        .authorizeHttpRequests(r -> r
                            .antMatchers("/OtherHandlerServices/Test").denyAll()
                            .anyRequest().denyAll()
                    )
                    .build();

    } catch(Exception e){
            throw new RuntimeException("Authentication is failed");
        }
    }

Could someone explain me why this is happening?

java spring-boot spring-security spring-oauth2
Original Q&A
2

There are 2 best solutions below

0
On BEST ANSWER

You can try to substitute your filterChain with this one:

@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
    http
        .authorizeHttpRequests(url -> url
            .antMatchers("/RemoteHandlerServices/Handle").authenticated()
            .antMatchers("/OtherHandlerServices/Test").denyAll()
            .anyRequest().authenticated());
return http.build();

Pay attention that from Spring Security 5.8 the antMatchers (with some others) method has been deprecated and you should use requestMatchers. From Spring Security 6 they have been removed.

Remember that, by default, the first matching filter is the one that is applied to the url, so the next ones are discard.

Here are some useful links: security filters, httpsecurity, java config spring security

0
On

In current implementation i see some missconfiguration and also some deprecated things and based on it I suggest you to have a look at Migration Guide

Also to get what you want you should replace current one body method to next one:

  @Bean
  public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
       http.authorizeHttpRequests(requestMatcherRegistry -> {
            requestMatcherRegistry.requestMatchers("/RemoteHandlerServices/Handle")
                .authenticated();
            requestMatcherRegistry.anyRequest().denyAll();
           });
       return http.build();
    }

Short summary about it: Every request to /RemoteHandlerServices/Handle should be authenticated and any others path requests will be denied.

To have more details how it work you have to read/check documentation

Related Questions in JAVA

Related Questions in SPRING-BOOT

Related Questions in SPRING-SECURITY

Related Questions in SPRING-OAUTH2

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.