stackoom
  简体   繁体   中英

403 Forbidden on custom authentication in Spring Security

 原文  2022-07-16 16:31:03       java/ spring/ spring-security

Question

I am implementing custom authentication using the AbstractAuthenticationProcessingFilter . When the user visits the /auth endpoint, the filter kicks in and authenticates the values in the cookie with another microservice. Upon successful authentication, it returns a custom implementation of Authentication and redirects the user to another endpoint.

However, although the authentication succeeds and I can see the Authentication object with the right authority in the successfulAuthentication callback, the redirect to the endpoint results in 403 forbidden.

CustomAuthentication class. 

public class CustomAuthentication implements Authentication {
    ...
    @Override
    public Collection<? extends GrantedAuthority> getAuthorities() {
        return List.of(new SimpleGrantedAuthority("TRM"));
    }
    ...
}

CookieAuthenticatorFilter class. 

public class CookieAuthenticationFilter extends AbstractAuthenticationProcessingFilter {
    ...
    @Override
    protected void successfulAuthentication(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, javax.servlet.FilterChain chain, Authentication authResult) throws java.io.IOException, javax.servlet.ServletException {
        System.out.println(authResult.getAuthorities());
        response.sendRedirect("/trm/");
    }
}

Finally, the configuration.

@Configuration
public class ApiConfiguration {
    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http.csrf().disable();
        http.addFilterBefore(new CookieAuthenticationFilter("/auth/**"), UsernamePasswordAuthenticationFilter.class)
                .authorizeRequests()
                .antMatchers("/trm/**")
                .hasAuthority("TRM");
        return http.build();
    }
}

Could someone please help me understand what is going wrong here?

Debug logs:

2022-07-17 09:17:13.082 TRACE 2314 --- [nio-9000-exec-3] o.s.security.web.FilterChainProxy        : Trying to match request against DefaultSecurityFilterChain [RequestMatcher=any request, Filters=[org.springframework.security.web.session.DisableEncodeUrlFilter@4eb166a1, org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@554c4eaa, org.springframework.security.web.context.SecurityContextPersistenceFilter@77c233af, org.springframework.security.web.header.HeaderWriterFilter@10db6131, org.springframework.web.filter.CorsFilter@29fd8e67, org.springframework.security.web.authentication.logout.LogoutFilter@65e0b505, com.example.auth.authentication.CookieAuthenticationFilter@e146f93, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@37c41ec0, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@35a0e495, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@4bd5849e, org.springframework.security.web.session.SessionManagementFilter@4730e0f0, org.springframework.security.web.access.ExceptionTranslationFilter@2d5ef498, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@541179e7]] (1/1)
2022-07-17 09:17:13.082 DEBUG 2314 --- [nio-9000-exec-3] o.s.security.web.FilterChainProxy        : Securing GET /auth/
2022-07-17 09:17:13.083 TRACE 2314 --- [nio-9000-exec-3] o.s.security.web.FilterChainProxy        : Invoking DisableEncodeUrlFilter (1/13)
2022-07-17 09:17:13.083 TRACE 2314 --- [nio-9000-exec-3] o.s.security.web.FilterChainProxy        : Invoking WebAsyncManagerIntegrationFilter (2/13)
2022-07-17 09:17:13.083 TRACE 2314 --- [nio-9000-exec-3] o.s.security.web.FilterChainProxy        : Invoking SecurityContextPersistenceFilter (3/13)
2022-07-17 09:17:13.088 TRACE 2314 --- [nio-9000-exec-3] w.c.HttpSessionSecurityContextRepository : No HttpSession currently exists
2022-07-17 09:17:13.088 TRACE 2314 --- [nio-9000-exec-3] w.c.HttpSessionSecurityContextRepository : Created SecurityContextImpl [Null authentication]
2022-07-17 09:17:13.088 DEBUG 2314 --- [nio-9000-exec-3] s.s.w.c.SecurityContextPersistenceFilter : Set SecurityContextHolder to empty SecurityContext
2022-07-17 09:17:13.089 TRACE 2314 --- [nio-9000-exec-3] o.s.security.web.FilterChainProxy        : Invoking HeaderWriterFilter (4/13)
2022-07-17 09:17:13.093 TRACE 2314 --- [nio-9000-exec-3] o.s.security.web.FilterChainProxy        : Invoking CorsFilter (5/13)
2022-07-17 09:17:13.094 TRACE 2314 --- [nio-9000-exec-3] o.s.w.s.handler.SimpleUrlHandlerMapping  : Mapped to HandlerExecutionChain with [ResourceHttpRequestHandler [classpath [META-INF/resources/], classpath [resources/], classpath [static/], classpath [public/], ServletContext [/]]] and 3 interceptors
2022-07-17 09:17:13.094 TRACE 2314 --- [nio-9000-exec-3] o.s.security.web.FilterChainProxy        : Invoking LogoutFilter (6/13)
2022-07-17 09:17:13.094 TRACE 2314 --- [nio-9000-exec-3] o.s.s.w.a.logout.LogoutFilter            : Did not match request to Or [Ant [pattern='/logout', GET], Ant [pattern='/logout', POST], Ant [pattern='/logout', PUT], Ant [pattern='/logout', DELETE]]
2022-07-17 09:17:13.095 TRACE 2314 --- [nio-9000-exec-3] o.s.security.web.FilterChainProxy        : Invoking CookieAuthenticationFilter (7/13)
2022-07-17 09:17:13.097 DEBUG 2314 --- [nio-9000-exec-3] o.s.web.client.RestTemplate              : HTTP GET localhost:8080/api/v1/agents/me/authorized-session?require_csrf=false
2022-07-17 09:17:13.098 DEBUG 2314 --- [nio-9000-exec-3] o.s.web.client.RestTemplate              : Accept=[application/json, application/*+json]
2022-07-17 09:17:13.099 DEBUG 2314 --- [nio-9000-exec-3] o.s.web.client.RestTemplate              : Writing [body] with org.springframework.http.converter.StringHttpMessageConverter
2022-07-17 09:17:14.470 DEBUG 2314 --- [nio-9000-exec-3] o.s.web.client.RestTemplate              : Response 200 OK
2022-07-17 09:17:14.471 DEBUG 2314 --- [nio-9000-exec-3] o.s.web.client.RestTemplate              : Reading to [com.example.auth.authentication.Agent]
2022-07-17 09:17:14.472 TRACE 2314 --- [nio-9000-exec-3] o.s.s.w.header.writers.HstsHeaderWriter  : Not injecting HSTS header since it did not match request to [Is Secure]
2022-07-17 09:17:14.472 DEBUG 2314 --- [nio-9000-exec-3] w.c.HttpSessionSecurityContextRepository : Did not store empty SecurityContext
2022-07-17 09:17:14.472 DEBUG 2314 --- [nio-9000-exec-3] w.c.HttpSessionSecurityContextRepository : Did not store empty SecurityContext
2022-07-17 09:17:14.472 DEBUG 2314 --- [nio-9000-exec-3] s.s.w.c.SecurityContextPersistenceFilter : Cleared SecurityContextHolder to complete request
2022-07-17 09:17:14.474 TRACE 2314 --- [nio-9000-exec-4] o.s.security.web.FilterChainProxy        : Trying to match request against DefaultSecurityFilterChain [RequestMatcher=any request, Filters=[org.springframework.security.web.session.DisableEncodeUrlFilter@4eb166a1, org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@554c4eaa, org.springframework.security.web.context.SecurityContextPersistenceFilter@77c233af, org.springframework.security.web.header.HeaderWriterFilter@10db6131, org.springframework.web.filter.CorsFilter@29fd8e67, org.springframework.security.web.authentication.logout.LogoutFilter@65e0b505, com.example.auth.authentication.CookieAuthenticationFilter@e146f93, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@37c41ec0, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@35a0e495, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@4bd5849e, org.springframework.security.web.session.SessionManagementFilter@4730e0f0, org.springframework.security.web.access.ExceptionTranslationFilter@2d5ef498, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@541179e7]] (1/1)
2022-07-17 09:17:14.474 DEBUG 2314 --- [nio-9000-exec-4] o.s.security.web.FilterChainProxy        : Securing GET /trm/
2022-07-17 09:17:14.474 TRACE 2314 --- [nio-9000-exec-4] o.s.security.web.FilterChainProxy        : Invoking DisableEncodeUrlFilter (1/13)
2022-07-17 09:17:14.474 TRACE 2314 --- [nio-9000-exec-4] o.s.security.web.FilterChainProxy        : Invoking WebAsyncManagerIntegrationFilter (2/13)
2022-07-17 09:17:14.475 TRACE 2314 --- [nio-9000-exec-4] o.s.security.web.FilterChainProxy        : Invoking SecurityContextPersistenceFilter (3/13)
2022-07-17 09:17:14.475 TRACE 2314 --- [nio-9000-exec-4] w.c.HttpSessionSecurityContextRepository : No HttpSession currently exists
2022-07-17 09:17:14.475 TRACE 2314 --- [nio-9000-exec-4] w.c.HttpSessionSecurityContextRepository : Created SecurityContextImpl [Null authentication]
2022-07-17 09:17:14.475 DEBUG 2314 --- [nio-9000-exec-4] s.s.w.c.SecurityContextPersistenceFilter : Set SecurityContextHolder to empty SecurityContext
2022-07-17 09:17:14.475 TRACE 2314 --- [nio-9000-exec-4] o.s.security.web.FilterChainProxy        : Invoking HeaderWriterFilter (4/13)
2022-07-17 09:17:14.477 TRACE 2314 --- [nio-9000-exec-4] o.s.security.web.FilterChainProxy        : Invoking CorsFilter (5/13)
2022-07-17 09:17:14.477 TRACE 2314 --- [nio-9000-exec-4] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped to com.example.auth.controller.Api#joke()
2022-07-17 09:17:14.478 TRACE 2314 --- [nio-9000-exec-4] o.s.security.web.FilterChainProxy        : Invoking LogoutFilter (6/13)
2022-07-17 09:17:14.478 TRACE 2314 --- [nio-9000-exec-4] o.s.s.w.a.logout.LogoutFilter            : Did not match request to Or [Ant [pattern='/logout', GET], Ant [pattern='/logout', POST], Ant [pattern='/logout', PUT], Ant [pattern='/logout', DELETE]]
2022-07-17 09:17:14.478 TRACE 2314 --- [nio-9000-exec-4] o.s.security.web.FilterChainProxy        : Invoking CookieAuthenticationFilter (7/13)
2022-07-17 09:17:14.479 TRACE 2314 --- [nio-9000-exec-4] o.s.security.web.FilterChainProxy        : Invoking RequestCacheAwareFilter (8/13)
2022-07-17 09:17:14.479 TRACE 2314 --- [nio-9000-exec-4] o.s.s.w.s.HttpSessionRequestCache        : No saved request
2022-07-17 09:17:14.479 TRACE 2314 --- [nio-9000-exec-4] o.s.security.web.FilterChainProxy        : Invoking SecurityContextHolderAwareRequestFilter (9/13)
2022-07-17 09:17:14.479 TRACE 2314 --- [nio-9000-exec-4] o.s.security.web.FilterChainProxy        : Invoking AnonymousAuthenticationFilter (10/13)
2022-07-17 09:17:14.483 TRACE 2314 --- [nio-9000-exec-4] o.s.s.w.a.AnonymousAuthenticationFilter  : Set SecurityContextHolder to AnonymousAuthenticationToken [Principal=anonymousUser, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=0:0:0:0:0:0:0:1, SessionId=null], Granted Authorities=[ROLE_ANONYMOUS]]
2022-07-17 09:17:14.483 TRACE 2314 --- [nio-9000-exec-4] o.s.security.web.FilterChainProxy        : Invoking SessionManagementFilter (11/13)
2022-07-17 09:17:14.483 TRACE 2314 --- [nio-9000-exec-4] o.s.security.web.FilterChainProxy        : Invoking ExceptionTranslationFilter (12/13)
2022-07-17 09:17:14.483 TRACE 2314 --- [nio-9000-exec-4] o.s.security.web.FilterChainProxy        : Invoking FilterSecurityInterceptor (13/13)
2022-07-17 09:17:14.484 TRACE 2314 --- [nio-9000-exec-4] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped to com.example.auth.controller.Api#joke()
2022-07-17 09:17:14.484 TRACE 2314 --- [nio-9000-exec-4] o.s.s.w.a.i.FilterSecurityInterceptor    : Did not re-authenticate AnonymousAuthenticationToken [Principal=anonymousUser, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=0:0:0:0:0:0:0:1, SessionId=null], Granted Authorities=[ROLE_ANONYMOUS]] before authorizing
2022-07-17 09:17:14.485 TRACE 2314 --- [nio-9000-exec-4] o.s.s.w.a.i.FilterSecurityInterceptor    : Authorizing filter invocation [GET /trm/] with attributes [hasAuthority('TRM')]
2022-07-17 09:17:14.490 TRACE 2314 --- [nio-9000-exec-4] o.s.s.w.a.expression.WebExpressionVoter  : Voted to deny authorization
2022-07-17 09:17:14.490 TRACE 2314 --- [nio-9000-exec-4] o.s.s.w.a.i.FilterSecurityInterceptor    : Failed to authorize filter invocation [GET /trm/] with attributes [hasAuthority('TRM')] using AffirmativeBased [DecisionVoters=[org.springframework.security.web.access.expression.WebExpressionVoter@1a8df0b3], AllowIfAllAbstainDecisions=false]
2022-07-17 09:17:14.491 TRACE 2314 --- [nio-9000-exec-4] o.s.s.w.a.ExceptionTranslationFilter     : Sending AnonymousAuthenticationToken [Principal=anonymousUser, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=0:0:0:0:0:0:0:1, SessionId=null], Granted Authorities=[ROLE_ANONYMOUS]] to authentication entry point since access is denied

org.springframework.security.access.AccessDeniedException: Access is denied
...

2022-07-17 09:17:14.513 TRACE 2314 --- [nio-9000-exec-4] o.s.s.w.s.HttpSessionRequestCache        : Did not save request since it did not match [And [Not [Ant [pattern='/**/favicon.*']], Not [MediaTypeRequestMatcher [contentNegotiationStrategy=org.springframework.web.accept.HeaderContentNegotiationStrategy@14252cbb, matchingMediaTypes=[application/json], useEquals=false, ignoredMediaTypes=[*/*]]], Not [RequestHeaderRequestMatcher [expectedHeaderName=X-Requested-With, expectedHeaderValue=XMLHttpRequest]], Not [MediaTypeRequestMatcher [contentNegotiationStrategy=org.springframework.web.accept.HeaderContentNegotiationStrategy@10484049, matchingMediaTypes=[multipart/form-data], useEquals=false, ignoredMediaTypes=[*/*]]], Not [MediaTypeRequestMatcher [contentNegotiationStrategy=org.springframework.web.accept.HeaderContentNegotiationStrategy@5dbe642c, matchingMediaTypes=[text/event-stream], useEquals=false, ignoredMediaTypes=[*/*]]]]]
2022-07-17 09:17:14.515 DEBUG 2314 --- [nio-9000-exec-4] o.s.s.w.a.Http403ForbiddenEntryPoint     : Pre-authenticated entry point called. Rejecting access
2022-07-17 09:17:14.518 TRACE 2314 --- [nio-9000-exec-4] o.s.s.w.header.writers.HstsHeaderWriter  : Not injecting HSTS header since it did not match request to [Is Secure]
2022-07-17 09:17:14.518 DEBUG 2314 --- [nio-9000-exec-4] w.c.HttpSessionSecurityContextRepository : Did not store empty SecurityContext
2022-07-17 09:17:14.518 DEBUG 2314 --- [nio-9000-exec-4] w.c.HttpSessionSecurityContextRepository : Did not store empty SecurityContext
2022-07-17 09:17:14.518 DEBUG 2314 --- [nio-9000-exec-4] s.s.w.c.SecurityContextPersistenceFilter : Cleared SecurityContextHolder to complete request
2022-07-17 09:17:14.519 TRACE 2314 --- [nio-9000-exec-4] o.s.security.web.FilterChainProxy        : Trying to match request against DefaultSecurityFilterChain [RequestMatcher=any request, Filters=[org.springframework.security.web.session.DisableEncodeUrlFilter@4eb166a1, org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@554c4eaa, org.springframework.security.web.context.SecurityContextPersistenceFilter@77c233af, org.springframework.security.web.header.HeaderWriterFilter@10db6131, org.springframework.web.filter.CorsFilter@29fd8e67, org.springframework.security.web.authentication.logout.LogoutFilter@65e0b505, com.example.auth.authentication.CookieAuthenticationFilter@e146f93, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@37c41ec0, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@35a0e495, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@4bd5849e, org.springframework.security.web.session.SessionManagementFilter@4730e0f0, org.springframework.security.web.access.ExceptionTranslationFilter@2d5ef498, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@541179e7]] (1/1)
2022-07-17 09:17:14.520 DEBUG 2314 --- [nio-9000-exec-4] o.s.security.web.FilterChainProxy        : Securing GET /error
2022-07-17 09:17:14.520 TRACE 2314 --- [nio-9000-exec-4] o.s.security.web.FilterChainProxy        : Invoking DisableEncodeUrlFilter (1/13)
2022-07-17 09:17:14.520 TRACE 2314 --- [nio-9000-exec-4] o.s.security.web.FilterChainProxy        : Invoking WebAsyncManagerIntegrationFilter (2/13)
2022-07-17 09:17:14.520 TRACE 2314 --- [nio-9000-exec-4] o.s.security.web.FilterChainProxy        : Invoking SecurityContextPersistenceFilter (3/13)
2022-07-17 09:17:14.521 TRACE 2314 --- [nio-9000-exec-4] w.c.HttpSessionSecurityContextRepository : No HttpSession currently exists
2022-07-17 09:17:14.521 TRACE 2314 --- [nio-9000-exec-4] w.c.HttpSessionSecurityContextRepository : Created SecurityContextImpl [Null authentication]
2022-07-17 09:17:14.521 DEBUG 2314 --- [nio-9000-exec-4] s.s.w.c.SecurityContextPersistenceFilter : Set SecurityContextHolder to empty SecurityContext
2022-07-17 09:17:14.521 TRACE 2314 --- [nio-9000-exec-4] o.s.security.web.FilterChainProxy        : Invoking HeaderWriterFilter (4/13)
2022-07-17 09:17:14.522 TRACE 2314 --- [nio-9000-exec-4] o.s.security.web.FilterChainProxy        : Invoking CorsFilter (5/13)
2022-07-17 09:17:14.522 TRACE 2314 --- [nio-9000-exec-4] o.s.security.web.FilterChainProxy        : Invoking LogoutFilter (6/13)
2022-07-17 09:17:14.522 TRACE 2314 --- [nio-9000-exec-4] o.s.s.w.a.logout.LogoutFilter            : Did not match request to Or [Ant [pattern='/logout', GET], Ant [pattern='/logout', POST], Ant [pattern='/logout', PUT], Ant [pattern='/logout', DELETE]]
2022-07-17 09:17:14.523 TRACE 2314 --- [nio-9000-exec-4] o.s.security.web.FilterChainProxy        : Invoking CookieAuthenticationFilter (7/13)
2022-07-17 09:17:14.523 TRACE 2314 --- [nio-9000-exec-4] o.s.security.web.FilterChainProxy        : Invoking RequestCacheAwareFilter (8/13)
2022-07-17 09:17:14.524 TRACE 2314 --- [nio-9000-exec-4] o.s.s.w.s.HttpSessionRequestCache        : No saved request
2022-07-17 09:17:14.524 TRACE 2314 --- [nio-9000-exec-4] o.s.security.web.FilterChainProxy        : Invoking SecurityContextHolderAwareRequestFilter (9/13)
2022-07-17 09:17:14.524 TRACE 2314 --- [nio-9000-exec-4] o.s.security.web.FilterChainProxy        : Invoking AnonymousAuthenticationFilter (10/13)
2022-07-17 09:17:14.524 TRACE 2314 --- [nio-9000-exec-4] o.s.s.w.a.AnonymousAuthenticationFilter  : Set SecurityContextHolder to AnonymousAuthenticationToken [Principal=anonymousUser, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=0:0:0:0:0:0:0:1, SessionId=null], Granted Authorities=[ROLE_ANONYMOUS]]
2022-07-17 09:17:14.526 TRACE 2314 --- [nio-9000-exec-4] o.s.security.web.FilterChainProxy        : Invoking SessionManagementFilter (11/13)
2022-07-17 09:17:14.526 TRACE 2314 --- [nio-9000-exec-4] o.s.security.web.FilterChainProxy        : Invoking ExceptionTranslationFilter (12/13)
2022-07-17 09:17:14.526 TRACE 2314 --- [nio-9000-exec-4] o.s.security.web.FilterChainProxy        : Invoking FilterSecurityInterceptor (13/13)
2022-07-17 09:17:14.526 DEBUG 2314 --- [nio-9000-exec-4] o.s.security.web.FilterChainProxy        : Secured GET /error
2022-07-17 09:17:14.528 TRACE 2314 --- [nio-9000-exec-4] edFilterInvocationSecurityMetadataSource : Did not match request to Mvc [pattern='/trm/**'] - [hasAuthority('TRM')] (1/1)
2022-07-17 09:17:14.528 TRACE 2314 --- [nio-9000-exec-4] o.s.web.servlet.DispatcherServlet        : "ERROR" dispatch for GET "/error", parameters={}, headers={masked} in DispatcherServlet 'dispatcherServlet'
2022-07-17 09:17:14.528 TRACE 2314 --- [nio-9000-exec-4] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped to org.springframework.boot.autoconfigure.web.servlet.error.BasicErrorController#error(HttpServletRequest)
2022-07-17 09:17:14.529 TRACE 2314 --- [nio-9000-exec-4] o.s.web.method.HandlerMethod             : Arguments: [SecurityContextHolderAwareRequestWrapper[ org.springframework.security.web.context.HttpSessionSecurityContextRepository$SaveToSessionRequestWrapper@500a35e0]]
2022-07-17 09:17:14.530 DEBUG 2314 --- [nio-9000-exec-4] o.s.w.s.m.m.a.HttpEntityMethodProcessor  : Using 'application/json', given [application/json] and supported [application/json, application/*+json, application/json, application/*+json]
2022-07-17 09:17:14.531 TRACE 2314 --- [nio-9000-exec-4] o.s.w.s.m.m.a.HttpEntityMethodProcessor  : Writing [{timestamp=Sun Jul 17 09:17:14 IST 2022, status=403, error=Forbidden, path=/trm/}]
2022-07-17 09:17:14.532 DEBUG 2314 --- [nio-9000-exec-4] w.c.HttpSessionSecurityContextRepository : Did not store anonymous SecurityContext
2022-07-17 09:17:14.533 TRACE 2314 --- [nio-9000-exec-4] o.s.web.servlet.DispatcherServlet        : No view rendering, null ModelAndView returned.
2022-07-17 09:17:14.533 DEBUG 2314 --- [nio-9000-exec-4] o.s.web.servlet.DispatcherServlet        : Exiting from "ERROR" dispatch, status 403, headers={masked}
2022-07-17 09:17:14.533 DEBUG 2314 --- [nio-9000-exec-4] w.c.HttpSessionSecurityContextRepository : Did not store anonymous SecurityContext
2022-07-17 09:17:14.533 DEBUG 2314 --- [nio-9000-exec-4] s.s.w.c.SecurityContextPersistenceFilter : Cleared SecurityContextHolder to complete request

1 answers

solution1
 0  2022-07-16 16:48:26

By looking into code, it looks like issue is with your filterChain method where you have defined csrf. In your successfulAuthentication you are redirecting to another resource once that method ( successfulAuthentication ) is getting called. I think for that reason, you also need to disable cors as well.

Try updating your filterChain & use following call instead of original http.csrf().disable(); : 

http.cors().and().csrf().disable();

Edit 1: if just adding above didn't helping , can you refactor your filterChain to below?

http.cors().and().csrf().disable().
.authorizeRequests().antMatchers("/trm/**")
                .hasAuthority("TRM");

 http.addFilterBefore(new CookieAuthenticationFilter("/auth/**"), UsernamePasswordAuthenticationFilter.class);
        return http.build();

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question 403 forbidden - Spring Security Spring Security Custom Authentication Provider 403 response Custom formLogin() in Spring security returns a (type=Forbidden, status=403) spring security angularjs forbidden 403 403 Forbidden - Spring security with spring boot spring security Rest API error -403 forbidden AJAX request with Spring Security gives 403 Forbidden 403 Forbidden for OpenApiSwagger in Spring Boot Security Spring security in angularjs returns 403 forbidden for login Spring Security X509 - 403 Forbidden
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM