i'm using spring-boot-starter-oauth2-resource-server 2.3.6.RELEASE. As described here the security config has to be done by providing:
@Bean
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
http
.authorizeExchange(exchanges -> exchanges
.pathMatchers("/message/**").hasAuthority("SCOPE_message:read")
.anyExchange().authenticated()
)
.oauth2ResourceServer(oauth2 -> oauth2
.jwt(withDefaults())
);
return http.build();
}
Does anybody has an idea, how to add a "public" endpoint in the resource server, that is accessible ba an anonymous user?
Thanks Fredy
--- update 17.2.2021 8:43 ---
I changed the code as suggested, but still get a Access Denied.
In org.springframework.security.access.expression.SecurityExpressionRoot
Line 111 -> isAuthenticated() is returning false. That's correct, but for me just not so great.
@Bean
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
http
.authorizeExchange(exchanges -> exchanges
.pathMatchers("/init").permitAll()
.pathMatchers("/message/**").hasAuthority("SCOPE_message:read")
.anyExchange().authenticated())
.oauth2ResourceServer(oauth2 -> oauth2.jwt(withDefaults()));
return http.build();
}
Log:
2021-02-17 08:33:11 DEBUG [http-nio-8082-exec-2] org.springframework.security.web.FilterChainProxy [FilterChainProxy.java:328] /error at position 11 of 12 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2021-02-17 08:33:11 DEBUG [http-nio-8082-exec-2] org.springframework.security.web.FilterChainProxy [FilterChainProxy.java:328] /error at position 12 of 12 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2021-02-17 08:33:11 DEBUG [http-nio-8082-exec-2] org.springframework.security.web.access.intercept.FilterSecurityInterceptor [AbstractSecurityInterceptor.java:219] Secure object: FilterInvocation: URL: /error; Attributes: [authenticated]
2021-02-17 08:33:11 DEBUG [http-nio-8082-exec-2] org.springframework.security.web.access.intercept.FilterSecurityInterceptor [AbstractSecurityInterceptor.java:348] Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@615c75f9: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@166c8: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 1CF0ACC15C790FEA93EF30F39DDC6492; Granted Authorities: ROLE_ANONYMOUS
2021-02-17 08:33:11 DEBUG [http-nio-8082-exec-2] org.springframework.security.access.vote.AffirmativeBased [AffirmativeBased.java:66] Voter: org.springframework.security.web.access.expression.WebExpressionVoter@4e3ebe19, returned: -1
2021-02-17 08:33:11 DEBUG [http-nio-8082-exec-2] org.springframework.security.web.access.ExceptionTranslationFilter [ExceptionTranslationFilter.java:180] Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied
at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:84)
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:233)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:123)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:90)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:118)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:137)
