I have a springboot app, and I'm trying to create two filters, one for the API and another one for the GUI, that's why I'm using "securityMatcher". Right now I am testing with the api filter only.
When I send a request with the correct credentials, it works just fine. But when I send invalid credentials or I do not include the authentication I get a 404, as if the endpoint didn't exist, instead of a 403/401. It seems as if it was falling trough the filter without being intercepted properly. As for what I understand, the securityMatcher should intercept this request (since it is for /api/something) and if it is not authenticated reply a 403 right away instead of continuing down the rest of the filters, am I mistaken?
This is my filter config:
@Bean
public SecurityFilterChain apiSecurityFilterChain(HttpSecurity http) throws Exception{
http
.securityMatcher("/api/**")
.csrf(csrf->csrf.disable())
.authorizeHttpRequests(
configurer -> configurer
.anyRequest().authenticated()
)
.httpBasic(Customizer.withDefaults());
return http.build();
}
This is the trace when I send an unauthenticated request:
2024-03-07T14:07:38.852-03:00 INFO 4016 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet : Completed initialization in 1 ms
2024-03-07T14:07:38.853-03:00 TRACE 4016 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Trying to match request against DefaultSecurityFilterChain [RequestMatcher=Or [Mvc [pattern='/api/**']], Filters=[org.springframework.security.web.session.DisableEncodeUrlFilter@54052db, org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@648d6e28, org.springframework.security.web.context.SecurityContextHolderFilter@6e5c0033, org.springframework.security.web.header.HeaderWriterFilter@28c8caa6, org.springframework.web.filter.CorsFilter@345b636a, org.springframework.security.web.authentication.logout.LogoutFilter@18dbee52, org.springframework.security.web.authentication.www.BasicAuthenticationFilter@422e9db2, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@3083f3b9, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@78fb417b, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@22ebb5e, org.springframework.security.web.access.ExceptionTranslationFilter@7d16b4d6, org.springframework.security.web.access.intercept.AuthorizationFilter@1538a7d4]] (1/1)
2024-03-07T14:07:38.853-03:00 DEBUG 4016 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Securing POST /api/telemetry
2024-03-07T14:07:38.853-03:00 TRACE 4016 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Invoking DisableEncodeUrlFilter (1/12)
2024-03-07T14:07:38.853-03:00 TRACE 4016 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Invoking WebAsyncManagerIntegrationFilter (2/12)
2024-03-07T14:07:38.853-03:00 TRACE 4016 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Invoking SecurityContextHolderFilter (3/12)
2024-03-07T14:07:38.853-03:00 TRACE 4016 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Invoking HeaderWriterFilter (4/12)
2024-03-07T14:07:38.853-03:00 TRACE 4016 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Invoking CorsFilter (5/12)
2024-03-07T14:07:38.853-03:00 TRACE 4016 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Invoking LogoutFilter (6/12)
2024-03-07T14:07:38.853-03:00 TRACE 4016 --- [nio-8080-exec-1] o.s.s.w.a.logout.LogoutFilter : Did not match request to Or [Ant [pattern='/logout', GET], Ant [pattern='/logout', POST], Ant [pattern='/logout', PUT], Ant [pattern='/logout', DELETE]]
2024-03-07T14:07:38.854-03:00 TRACE 4016 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Invoking BasicAuthenticationFilter (7/12)
2024-03-07T14:07:38.854-03:00 TRACE 4016 --- [nio-8080-exec-1] o.s.s.w.a.www.BasicAuthenticationFilter : Found username 'admin' in Basic Authorization header
2024-03-07T14:07:38.854-03:00 TRACE 4016 --- [nio-8080-exec-1] w.c.HttpSessionSecurityContextRepository : Did not find SecurityContext in HttpSession A55EEDF1AE9AC3C5428BA15A466F010C using the SPRING_SECURITY_CONTEXT session attribute
2024-03-07T14:07:38.854-03:00 TRACE 4016 --- [nio-8080-exec-1] .s.s.w.c.SupplierDeferredSecurityContext : Created SecurityContextImpl [Null authentication]
2024-03-07T14:07:38.854-03:00 TRACE 4016 --- [nio-8080-exec-1] .s.s.w.c.SupplierDeferredSecurityContext : Created SecurityContextImpl [Null authentication]
2024-03-07T14:07:38.854-03:00 TRACE 4016 --- [nio-8080-exec-1] o.s.s.authentication.ProviderManager : Authenticating request with DaoAuthenticationProvider (1/1)
2024-03-07T14:07:39.012-03:00 DEBUG 4016 --- [nio-8080-exec-1] o.s.s.a.dao.DaoAuthenticationProvider : Failed to authenticate since password does not match stored value
2024-03-07T14:07:39.014-03:00 DEBUG 4016 --- [nio-8080-exec-1] o.s.s.w.a.www.BasicAuthenticationFilter : Failed to process authentication request
org.springframework.security.authentication.BadCredentialsException: Bad credentials
at org.springframework.security.authentication.dao.DaoAuthenticationProvider.additionalAuthenticationChecks(DaoAuthenticationProvider.java:89) ~[spring-security-core-6.2.1.jar:6.2.1]
at org.springframework.security.authentication.dao.AbstractUserDetailsAuthenticationProvider.authenticate(AbstractUserDetailsAuthenticationProvider.java:147) ~[spring-security-core-6.2.1.jar:6.2.1]
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:182) ~[spring-security-core-6.2.1.jar:6.2.1]
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:201) ~[spring-security-core-6.2.1.jar:6.2.1]
at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilterInternal(BasicAuthenticationFilter.java:187) ~[spring-security-web-6.2.1.jar:6.2.1]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.1.3.jar:6.1.3]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.2.1.jar:6.2.1]
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:107) ~[spring-security-web-6.2.1.jar:6.2.1]
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:93) ~[spring-security-web-6.2.1.jar:6.2.1]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.2.1.jar:6.2.1]
at org.springframework.web.filter.CorsFilter.doFilterInternal(CorsFilter.java:91) ~[spring-web-6.1.3.jar:6.1.3]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.1.3.jar:6.1.3]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.2.1.jar:6.2.1]
at org.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:90) ~[spring-security-web-6.2.1.jar:6.2.1]
at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:75) ~[spring-security-web-6.2.1.jar:6.2.1]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.1.3.jar:6.1.3]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.2.1.jar:6.2.1]
at org.springframework.security.web.context.SecurityContextHolderFilter.doFilter(SecurityContextHolderFilter.java:82) ~[spring-security-web-6.2.1.jar:6.2.1]
at org.springframework.security.web.context.SecurityContextHolderFilter.doFilter(SecurityContextHolderFilter.java:69) ~[spring-security-web-6.2.1.jar:6.2.1]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.2.1.jar:6.2.1]
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:62) ~[spring-security-web-6.2.1.jar:6.2.1]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.1.3.jar:6.1.3]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.2.1.jar:6.2.1]
at org.springframework.security.web.session.DisableEncodeUrlFilter.doFilterInternal(DisableEncodeUrlFilter.java:42) ~[spring-security-web-6.2.1.jar:6.2.1]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.1.3.jar:6.1.3]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.2.1.jar:6.2.1]
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:233) ~[spring-security-web-6.2.1.jar:6.2.1]
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:191) ~[spring-security-web-6.2.1.jar:6.2.1]
at org.springframework.web.filter.CompositeFilter$VirtualFilterChain.doFilter(CompositeFilter.java:113) ~[spring-web-6.1.3.jar:6.1.3]
at org.springframework.web.servlet.handler.HandlerMappingIntrospector.lambda$createCacheFilter$3(HandlerMappingIntrospector.java:195) ~[spring-webmvc-6.1.3.jar:6.1.3]
at org.springframework.web.filter.CompositeFilter$VirtualFilterChain.doFilter(CompositeFilter.java:113) ~[spring-web-6.1.3.jar:6.1.3]
at org.springframework.web.filter.CompositeFilter.doFilter(CompositeFilter.java:74) ~[spring-web-6.1.3.jar:6.1.3]
at org.springframework.security.config.annotation.web.configuration.WebMvcSecurityConfiguration$CompositeFilterChainProxy.doFilter(WebMvcSecurityConfiguration.java:225) ~[spring-security-config-6.2.1.jar:6.2.1]
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:352) ~[spring-web-6.1.3.jar:6.1.3]
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:268) ~[spring-web-6.1.3.jar:6.1.3]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174) ~[tomcat-embed-core-10.1.18.jar:10.1.18]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) ~[tomcat-embed-core-10.1.18.jar:10.1.18]
at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100) ~[spring-web-6.1.3.jar:6.1.3]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.1.3.jar:6.1.3]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174) ~[tomcat-embed-core-10.1.18.jar:10.1.18]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) ~[tomcat-embed-core-10.1.18.jar:10.1.18]
at org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93) ~[spring-web-6.1.3.jar:6.1.3]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.1.3.jar:6.1.3]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174) ~[tomcat-embed-core-10.1.18.jar:10.1.18]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) ~[tomcat-embed-core-10.1.18.jar:10.1.18]
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201) ~[spring-web-6.1.3.jar:6.1.3]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.1.3.jar:6.1.3]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174) ~[tomcat-embed-core-10.1.18.jar:10.1.18]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) ~[tomcat-embed-core-10.1.18.jar:10.1.18]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:167) ~[tomcat-embed-core-10.1.18.jar:10.1.18]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90) ~[tomcat-embed-core-10.1.18.jar:10.1.18]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:482) ~[tomcat-embed-core-10.1.18.jar:10.1.18]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:115) ~[tomcat-embed-core-10.1.18.jar:10.1.18]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93) ~[tomcat-embed-core-10.1.18.jar:10.1.18]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) ~[tomcat-embed-core-10.1.18.jar:10.1.18]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:340) ~[tomcat-embed-core-10.1.18.jar:10.1.18]
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:391) ~[tomcat-embed-core-10.1.18.jar:10.1.18]
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63) ~[tomcat-embed-core-10.1.18.jar:10.1.18]
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:896) ~[tomcat-embed-core-10.1.18.jar:10.1.18]
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1744) ~[tomcat-embed-core-10.1.18.jar:10.1.18]
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52) ~[tomcat-embed-core-10.1.18.jar:10.1.18]
at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191) ~[tomcat-embed-core-10.1.18.jar:10.1.18]
at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) ~[tomcat-embed-core-10.1.18.jar:10.1.18]
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) ~[tomcat-embed-core-10.1.18.jar:10.1.18]
at java.base/java.lang.Thread.run(Thread.java:833) ~[na:na]
2024-03-07T14:07:39.018-03:00 DEBUG 4016 --- [nio-8080-exec-1] s.w.a.DelegatingAuthenticationEntryPoint : Trying to match using RequestHeaderRequestMatcher [expectedHeaderName=X-Requested-With, expectedHeaderValue=XMLHttpRequest]
2024-03-07T14:07:39.018-03:00 DEBUG 4016 --- [nio-8080-exec-1] s.w.a.DelegatingAuthenticationEntryPoint : No match found. Using default entry point org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint@39a54a32
2024-03-07T14:07:39.018-03:00 TRACE 4016 --- [nio-8080-exec-1] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match request to [Is Secure]
2024-03-07T14:07:39.019-03:00 TRACE 4016 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Trying to match request against DefaultSecurityFilterChain [RequestMatcher=Or [Mvc [pattern='/api/**']], Filters=[org.springframework.security.web.session.DisableEncodeUrlFilter@54052db, org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@648d6e28, org.springframework.security.web.context.SecurityContextHolderFilter@6e5c0033, org.springframework.security.web.header.HeaderWriterFilter@28c8caa6, org.springframework.web.filter.CorsFilter@345b636a, org.springframework.security.web.authentication.logout.LogoutFilter@18dbee52, org.springframework.security.web.authentication.www.BasicAuthenticationFilter@422e9db2, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@3083f3b9, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@78fb417b, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@22ebb5e, org.springframework.security.web.access.ExceptionTranslationFilter@7d16b4d6, org.springframework.security.web.access.intercept.AuthorizationFilter@1538a7d4]] (1/1)
2024-03-07T14:07:39.019-03:00 TRACE 4016 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : No security for POST /error