Trying to add security filters to my spring native application which was gonna deploy on aws lambda. So took a help of sample example of pet-store-native(spring boot + graalvm + aws serverless application). But adding filters to it, not working in an expected way.
Things not working as expected :
- .authorizeHttpRequests is not authorising request as specified.
- Some filters are running inside security filter chain and some are running outside it.
Security Configuration.class ->
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
.csrf(csrf -> csrf.disable())
.cors(cors -> cors.disable())
.authorizeHttpRequests(auth -> {
auth
.requestMatchers("/pets").authenticated()
.anyRequest().permitAll();
// .anyRequest().permitAll();
})
.addFilterAfter(outsideFilter, CorsFilter.class)
.addFilterAfter(simpleFilter, UsernamePasswordAuthenticationFilter.class)
.sessionManagement(
sm -> sm.sessionCreationPolicy(SessionCreationPolicy.STATELESS).sessionFixation().none());
return http.build();
}
OutsideProjectFilter.class (Using OncePerRequestFilter) ->
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
throws ServletException, IOException {
System.out.println("Running a filter outisde the current project.");
filterChain.doFilter(request, response);
}
SimpleFilter.class (Using OncePerRequestFilter) ->
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
throws ServletException, IOException {
System.out.println("Running a simple filter");
filterChain.doFilter(request, response);
}
DemoApplication.class ->
@SpringBootApplication(scanBasePackages = {"com.sample.filters","com.amazonaws.serverless.sample.springboot3"})
public class DemoApplication {
Trace Showing filters running outside filter chain ->
And even specifying .requestMatchers("/pets").authenticated(), able to access this endpoint.
Implementation - Source code on Github