Java spring security filter discarting PUT and POST when anonymous user
Question
I am facing this problem...
I have the spring security filter
on my web.xml
<filter>
<filter-name>springSessionRepositoryFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSessionRepositoryFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
I am using spring security and I have this at my springSecurity-applicationContext.xml
<http
authentication-manager-ref="myAuthManager"
access-decision-manager-ref="accessDecisionManager"
entry-point-ref="authenticationEntryPoint"
create-session="ifRequired"
access-denied-page="/unauthorized">
<custom-filter ref="myPreAuthenticatedFilter" position="PRE_AUTH_FILTER"/>
<logout logout-success-url="/page/home"/>
<anonymous key="anonymous"/>
<intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<intercept-url pattern="/method/do" access="IS_AUTHENTICATED_ANONYMOUSLY()"/>
</http>
So, at myPreAuthenticationFilter I have a filter that extends of AbstractPreAuthenticatedProcessingFilter
I am trying to execute /method/do with a DELETE or a POST without success.
I am wondering what would be the best way to do it?
For some reason when I put a break point on myPreAuthenticationFilter at doFilter and make the request with DELETE nothing happens, only when I do the GET.
I want that endpoint to have no security.
I made this and worked
<http pattern="/method/do" security="none"/>
Not sure why this works and others dont or where I should look for.
Any idea?
The errors I get are Forbidden
1 answers
solution1
0 2018-02-08 14:28:27
If using spring-security 4 or above, csrf filter is enabled by default and it actually blocks any POST , PUT or DELETE requests which do not include de csrf token.
If you are not sending the csrf token in any of this kind of requests , you should make a test just disabling it configuring <csrf disabled="true"/> in your secured <http> section in your security xml, this way:
<http
authentication-manager-ref="myAuthManager"
access-decision-manager-ref="accessDecisionManager"
entry-point-ref="authenticationEntryPoint"
create-session="ifRequired"
access-denied-page="/unauthorized">
<custom-filter ref="myPreAuthenticatedFilter" position="PRE_AUTH_FILTER"/>
<logout logout-success-url="/page/home"/>
<anonymous key="anonymous"/>
<intercept-url pattern="/method/do" access="IS_AUTHENTICATED_ANONYMOUSLY()"/>
<intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<csrf disabled="true"/>
</http>
Edit I have just realized that the order of the intercept-url should be just the opposite, starting from the most specific and ending with the most generic (I have already modified in the sample configuration I suggested)
In your case, it does not affect the behaviour given that both mappings have same access policy, but it should be this way.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.