I have a REST API on Spring MVC with OAuth2.
In order to support expression handlers like hasRole
and hasAuthority
I've added the following config:
@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class MethodSecurityConfig extends GlobalMethodSecurityConfiguration {
@Override
protected MethodSecurityExpressionHandler createExpressionHandler() {
return new OAuth2MethodSecurityExpressionHandler();
}
}
This made @PreAuthorize
annotation on controller work:
@RequestMapping(value = "/list", method = RequestMethod.GET, produces = MediaType.APPLICATION_JSON_VALUE)
@ResponseBody
@PreAuthorize("hasAuthority('ROLE_USER')") // This works as expected
public List<Experiment> getExperimentList() {
//...
}
At the same time I failed to make this configuration global for all controllers:
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth, MyAppAuthenticationProvider authenticationProvider) throws Exception {
auth.authenticationProvider(authenticationProvider);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
super.configure(http);
http
.authorizeRequests()
.antMatchers("/api/**").hasAuthority("ROLE_USER") // This has no effect
.anyRequest().fullyAuthenticated()
.and()
.exceptionHandling()
.authenticationEntryPoint((request, response, authException) -> response.sendError(HttpServletResponse.SC_UNAUTHORIZED));
}
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/api/users/register/**");
}
}
What am I missing?
Upd1. Spring Log for request processing
12:13:37.689 [qtp114109618-21] DEBUG org.eclipse.jetty.server.HttpChannel - REQUEST for //localhost:3000/api/strategies/BenchmarkAlgos/layouts on HttpChannelOverHttp@1660325f{r=1,c=false,a=IDLE,uri=//localhost:3000/api/strategies/BenchmarkAlgos/layouts}
GET //localhost:3000/api/strategies/BenchmarkAlgos/layouts HTTP/1.1
Accept-Language: en-US,en;q=0.8
Accept-Encoding: gzip, deflate, sdch, br
Referer: http://localhost:3000/strategies/BenchmarkAlgos
Authorization: bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX25hbWUiOiJkZWx0aXgud2JidC5hdXRoZW50aWNhdGlvbi5Vc2VyQ29udGV4dEA2ZjY
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36
Accept: application/json, text/plain, */*
Connection: close
Host: localhost:3000
12:13:37.689 [qtp114109618-22] DEBUG org.eclipse.jetty.server.HttpChannel - HttpChannelOverHttp@7d785c33{r=1,c=false,a=IDLE,uri=//localhost:3000/api/strategies/BenchmarkAlgos/experiment-set/list} onRequestComplete
12:13:37.689 [qtp114109618-21] DEBUG org.eclipse.jetty.server.HttpChannel - HttpChannelOverHttp@1660325f{r=1,c=false,a=IDLE,uri=//localhost:3000/api/strategies/BenchmarkAlgos/layouts} onRequestComplete
12:13:37.689 [qtp114109618-22] DEBUG org.eclipse.jetty.server.HttpInput - HttpInputOverHTTP@418cd7f1[c=0,q=1,[0]=EOF,s=STREAM] addContent EOF
12:13:37.690 [qtp114109618-22] DEBUG o.e.jetty.server.HttpConnection - HttpConnection@2c6695ff[SelectChannelEndPoint@30734b42{/127.0.0.1:43538<->9990,Open,in,out,-,-,9/30000,HttpConnection@2c6695ff}{io=0/0,kio=0,kro=1}][p=HttpParser{s=END,0 of 0},g=HttpGenerator@1c6c8fd2{s=START},c=HttpChannelOverHttp@7d785c33{r=1,c=false,a=IDLE,uri=//localhost:3000/api/strategies/BenchmarkAlgos/experiment-set/list}] parsed true HttpParser{s=END,0 of 0}
12:13:37.690 [qtp114109618-21] DEBUG org.eclipse.jetty.server.HttpInput - HttpInputOverHTTP@d40b349[c=0,q=1,[0]=EOF,s=STREAM] addContent EOF
12:13:37.690 [qtp114109618-22] DEBUG o.e.jetty.server.HttpConnection - releaseRequestBuffer HttpConnection@2c6695ff[SelectChannelEndPoint@30734b42{/127.0.0.1:43538<->9990,Open,in,out,-,-,9/30000,HttpConnection@2c6695ff}{io=0/0,kio=0,kro=1}][p=HttpParser{s=END,0 of 0},g=HttpGenerator@1c6c8fd2{s=START},c=HttpChannelOverHttp@7d785c33{r=1,c=false,a=IDLE,uri=//localhost:3000/api/strategies/BenchmarkAlgos/experiment-set/list}]
12:13:37.690 [qtp114109618-22] DEBUG org.eclipse.jetty.server.HttpChannel - HttpChannelOverHttp@7d785c33{r=1,c=false,a=IDLE,uri=//localhost:3000/api/strategies/BenchmarkAlgos/experiment-set/list} handle //localhost:3000/api/strategies/BenchmarkAlgos/experiment-set/list
12:13:37.690 [qtp114109618-21] DEBUG o.e.jetty.server.HttpConnection - HttpConnection@30207f11[SelectChannelEndPoint@6a7a625d{/127.0.0.1:43537<->9990,Open,in,out,-,-,9/30000,HttpConnection@30207f11}{io=0/0,kio=0,kro=1}][p=HttpParser{s=END,0 of 0},g=HttpGenerator@538cfd5e{s=START},c=HttpChannelOverHttp@1660325f{r=1,c=false,a=IDLE,uri=//localhost:3000/api/strategies/BenchmarkAlgos/layouts}] parsed true HttpParser{s=END,0 of 0}
12:13:37.690 [qtp114109618-22] DEBUG o.e.jetty.server.HttpChannelState - HttpChannelState@681709f3{s=IDLE a=NOT_ASYNC i=true r=!P!U w=false} handling IDLE
12:13:37.690 [qtp114109618-21] DEBUG o.e.jetty.server.HttpConnection - releaseRequestBuffer HttpConnection@30207f11[SelectChannelEndPoint@6a7a625d{/127.0.0.1:43537<->9990,Open,in,out,-,-,9/30000,HttpConnection@30207f11}{io=0/0,kio=0,kro=1}][p=HttpParser{s=END,0 of 0},g=HttpGenerator@538cfd5e{s=START},c=HttpChannelOverHttp@1660325f{r=1,c=false,a=IDLE,uri=//localhost:3000/api/strategies/BenchmarkAlgos/layouts}]
12:13:37.690 [qtp114109618-21] DEBUG org.eclipse.jetty.server.HttpChannel - HttpChannelOverHttp@1660325f{r=1,c=false,a=IDLE,uri=//localhost:3000/api/strategies/BenchmarkAlgos/layouts} handle //localhost:3000/api/strategies/BenchmarkAlgos/layouts
12:13:37.690 [qtp114109618-21] DEBUG o.e.jetty.server.HttpChannelState - HttpChannelState@25569b01{s=IDLE a=NOT_ASYNC i=true r=!P!U w=false} handling IDLE
12:13:37.691 [qtp114109618-22] DEBUG org.eclipse.jetty.server.HttpChannel - HttpChannelOverHttp@7d785c33{r=1,c=false,a=DISPATCHED,uri=//localhost:3000/api/strategies/BenchmarkAlgos/experiment-set/list} action DISPATCH
12:13:37.691 [qtp114109618-21] DEBUG org.eclipse.jetty.server.HttpChannel - HttpChannelOverHttp@1660325f{r=1,c=false,a=DISPATCHED,uri=//localhost:3000/api/strategies/BenchmarkAlgos/layouts} action DISPATCH
12:13:37.692 [qtp114109618-21] DEBUG org.eclipse.jetty.server.Server - REQUEST GET /api/strategies/BenchmarkAlgos/layouts on HttpChannelOverHttp@1660325f{r=1,c=false,a=DISPATCHED,uri=//localhost:3000/api/strategies/BenchmarkAlgos/layouts}
12:13:37.692 [qtp114109618-22] DEBUG org.eclipse.jetty.server.Server - REQUEST GET /api/strategies/BenchmarkAlgos/experiment-set/list on HttpChannelOverHttp@7d785c33{r=1,c=false,a=DISPATCHED,uri=//localhost:3000/api/strategies/BenchmarkAlgos/experiment-set/list}
12:13:37.692 [qtp114109618-22] DEBUG o.e.j.server.handler.ContextHandler - scope null||/api/strategies/BenchmarkAlgos/experiment-set/list @ o.s.b.c.e.j.JettyEmbeddedWebAppContext@5c8ab9de{/,[file:///C:/Users/Samoussenkom/AppData/Local/Temp/jetty-docbase.623436375017274305.9990/],AVAILABLE}
12:13:37.692 [qtp114109618-21] DEBUG o.e.j.server.handler.ContextHandler - scope null||/api/strategies/BenchmarkAlgos/layouts @ o.s.b.c.e.j.JettyEmbeddedWebAppContext@5c8ab9de{/,[file:///C:/Users/Samoussenkom/AppData/Local/Temp/jetty-docbase.623436375017274305.9990/],AVAILABLE}
12:13:37.693 [qtp114109618-22] DEBUG o.e.j.server.handler.ContextHandler - context=||/api/strategies/BenchmarkAlgos/experiment-set/list @ o.s.b.c.e.j.JettyEmbeddedWebAppContext@5c8ab9de{/,[file:///C:/Users/Samoussenkom/AppData/Local/Temp/jetty-docbase.623436375017274305.9990/],AVAILABLE}
12:13:37.693 [qtp114109618-21] DEBUG o.e.j.server.handler.ContextHandler - context=||/api/strategies/BenchmarkAlgos/layouts @ o.s.b.c.e.j.JettyEmbeddedWebAppContext@5c8ab9de{/,[file:///C:/Users/Samoussenkom/AppData/Local/Temp/jetty-docbase.623436375017274305.9990/],AVAILABLE}
12:13:37.693 [qtp114109618-21] DEBUG org.eclipse.jetty.server.session - sessionManager=org.eclipse.jetty.server.session.HashSessionManager@2f1f9515
12:13:37.693 [qtp114109618-22] DEBUG org.eclipse.jetty.server.session - sessionManager=org.eclipse.jetty.server.session.HashSessionManager@2f1f9515
12:13:37.693 [qtp114109618-21] DEBUG org.eclipse.jetty.server.session - session=null
12:13:37.693 [qtp114109618-22] DEBUG org.eclipse.jetty.server.session - session=null
12:13:37.693 [qtp114109618-21] DEBUG o.e.jetty.servlet.ServletHandler - servlet |/api/strategies/BenchmarkAlgos/layouts|null -> dispatcherServlet@7ef5559e==org.springframework.web.servlet.DispatcherServlet,jsp=null,order=-1,inst=true
12:13:37.693 [qtp114109618-22] DEBUG o.e.jetty.servlet.ServletHandler - servlet |/api/strategies/BenchmarkAlgos/experiment-set/list|null -> dispatcherServlet@7ef5559e==org.springframework.web.servlet.DispatcherServlet,jsp=null,order=-1,inst=true
12:13:37.701 [qtp114109618-21] DEBUG o.e.jetty.servlet.ServletHandler - chain=characterEncodingFilter->hiddenHttpMethodFilter->httpPutFormContentFilter->requestContextFilter->springSecurityFilterChain->Jetty_WebSocketUpgradeFilter->dispatcherServlet@7ef5559e==org.springframework.web.servlet.DispatcherServlet,jsp=null,order=-1,inst=true
12:13:37.701 [qtp114109618-22] DEBUG o.e.jetty.servlet.ServletHandler - chain=characterEncodingFilter->hiddenHttpMethodFilter->httpPutFormContentFilter->requestContextFilter->springSecurityFilterChain->Jetty_WebSocketUpgradeFilter->dispatcherServlet@7ef5559e==org.springframework.web.servlet.DispatcherServlet,jsp=null,order=-1,inst=true
12:13:37.702 [qtp114109618-21] DEBUG o.e.jetty.servlet.ServletHandler - call filter characterEncodingFilter
12:13:37.702 [qtp114109618-22] DEBUG o.e.jetty.servlet.ServletHandler - call filter characterEncodingFilter
12:13:37.705 [qtp114109618-21] DEBUG o.e.jetty.servlet.ServletHandler - call filter hiddenHttpMethodFilter
12:13:37.705 [qtp114109618-22] DEBUG o.e.jetty.servlet.ServletHandler - call filter hiddenHttpMethodFilter
12:13:37.705 [qtp114109618-21] DEBUG o.e.jetty.servlet.ServletHandler - call filter httpPutFormContentFilter
12:13:37.705 [qtp114109618-22] DEBUG o.e.jetty.servlet.ServletHandler - call filter httpPutFormContentFilter
12:13:37.705 [qtp114109618-21] DEBUG o.e.jetty.servlet.ServletHandler - call filter requestContextFilter
12:13:37.705 [qtp114109618-22] DEBUG o.e.jetty.servlet.ServletHandler - call filter requestContextFilter
12:13:37.710 [qtp114109618-21] DEBUG o.s.b.w.f.OrderedRequestContextFilter - Bound request context to thread: Request(GET //localhost:3000/api/strategies/BenchmarkAlgos/layouts)@660ca9ae
12:13:37.710 [qtp114109618-22] DEBUG o.s.b.w.f.OrderedRequestContextFilter - Bound request context to thread: Request(GET //localhost:3000/api/strategies/BenchmarkAlgos/experiment-set/list)@577e2d42
12:13:37.710 [qtp114109618-21] DEBUG o.e.jetty.servlet.ServletHandler - call filter springSecurityFilterChain
12:13:37.710 [qtp114109618-22] DEBUG o.e.jetty.servlet.ServletHandler - call filter springSecurityFilterChain
12:13:37.710 [qtp114109618-21] DEBUG o.s.b.f.s.DefaultListableBeanFactory - Returning cached instance of singleton bean 'springSecurityFilterChain'
12:13:37.711 [qtp114109618-22] DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/api/strategies/BenchmarkAlgos/experiment-set/list'; against '/api/users/register/**'
12:13:37.711 [qtp114109618-21] DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/api/strategies/BenchmarkAlgos/layouts'; against '/api/users/register/**'
12:13:37.711 [qtp114109618-21] DEBUG o.s.s.w.u.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/oauth/token']
12:13:37.711 [qtp114109618-22] DEBUG o.s.s.w.u.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/oauth/token']
12:13:37.711 [qtp114109618-21] DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/api/strategies/BenchmarkAlgos/layouts'; against '/oauth/token'
12:13:37.711 [qtp114109618-22] DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/api/strategies/BenchmarkAlgos/experiment-set/list'; against '/oauth/token'
12:13:37.711 [qtp114109618-21] DEBUG o.s.s.w.u.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/oauth/token_key']
12:13:37.711 [qtp114109618-22] DEBUG o.s.s.w.u.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/oauth/token_key']
12:13:37.711 [qtp114109618-21] DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/api/strategies/BenchmarkAlgos/layouts'; against '/oauth/token_key'
12:13:37.711 [qtp114109618-22] DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/api/strategies/BenchmarkAlgos/experiment-set/list'; against '/oauth/token_key'
12:13:37.711 [qtp114109618-21] DEBUG o.s.s.w.u.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/oauth/check_token']
12:13:37.711 [qtp114109618-22] DEBUG o.s.s.w.u.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/oauth/check_token']
12:13:37.711 [qtp114109618-21] DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/api/strategies/BenchmarkAlgos/layouts'; against '/oauth/check_token'
12:13:37.711 [qtp114109618-22] DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/api/strategies/BenchmarkAlgos/experiment-set/list'; against '/oauth/check_token'
12:13:37.711 [qtp114109618-21] DEBUG o.s.s.w.u.matcher.OrRequestMatcher - No matches found
12:13:37.711 [qtp114109618-22] DEBUG o.s.s.w.u.matcher.OrRequestMatcher - No matches found
12:13:37.712 [qtp114109618-21] DEBUG o.s.security.web.FilterChainProxy - /api/strategies/BenchmarkAlgos/layouts at position 1 of 11 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
12:13:37.712 [qtp114109618-22] DEBUG o.s.security.web.FilterChainProxy - /api/strategies/BenchmarkAlgos/experiment-set/list at position 1 of 11 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
12:13:37.714 [qtp114109618-22] DEBUG o.s.security.web.FilterChainProxy - /api/strategies/BenchmarkAlgos/experiment-set/list at position 2 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
12:13:37.714 [qtp114109618-21] DEBUG o.s.security.web.FilterChainProxy - /api/strategies/BenchmarkAlgos/layouts at position 2 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
12:13:37.714 [qtp114109618-21] DEBUG o.s.security.web.FilterChainProxy - /api/strategies/BenchmarkAlgos/layouts at position 3 of 11 in additional filter chain; firing Filter: 'HeaderWriterFilter'
12:13:37.714 [qtp114109618-22] DEBUG o.s.security.web.FilterChainProxy - /api/strategies/BenchmarkAlgos/experiment-set/list at position 3 of 11 in additional filter chain; firing Filter: 'HeaderWriterFilter'
12:13:37.716 [qtp114109618-21] DEBUG o.s.security.web.FilterChainProxy - /api/strategies/BenchmarkAlgos/layouts at position 4 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
12:13:37.716 [qtp114109618-22] DEBUG o.s.security.web.FilterChainProxy - /api/strategies/BenchmarkAlgos/experiment-set/list at position 4 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
12:13:37.716 [qtp114109618-21] DEBUG o.s.s.w.u.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/logout', GET]
12:13:37.716 [qtp114109618-22] DEBUG o.s.s.w.u.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/logout', GET]
12:13:37.716 [qtp114109618-21] DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/api/strategies/BenchmarkAlgos/layouts'; against '/logout'
12:13:37.716 [qtp114109618-22] DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/api/strategies/BenchmarkAlgos/experiment-set/list'; against '/logout'
12:13:37.716 [qtp114109618-22] DEBUG o.s.s.w.u.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/logout', POST]
12:13:37.716 [qtp114109618-21] DEBUG o.s.s.w.u.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/logout', POST]
12:13:37.716 [qtp114109618-22] DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Request 'GET /api/strategies/BenchmarkAlgos/experiment-set/list' doesn't match 'POST /logout
12:13:37.716 [qtp114109618-21] DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Request 'GET /api/strategies/BenchmarkAlgos/layouts' doesn't match 'POST /logout
12:13:37.716 [qtp114109618-22] DEBUG o.s.s.w.u.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/logout', PUT]
12:13:37.716 [qtp114109618-21] DEBUG o.s.s.w.u.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/logout', PUT]
12:13:37.716 [qtp114109618-22] DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Request 'GET /api/strategies/BenchmarkAlgos/experiment-set/list' doesn't match 'PUT /logout
12:13:37.716 [qtp114109618-21] DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Request 'GET /api/strategies/BenchmarkAlgos/layouts' doesn't match 'PUT /logout
12:13:37.716 [qtp114109618-22] DEBUG o.s.s.w.u.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/logout', DELETE]
12:13:37.716 [qtp114109618-21] DEBUG o.s.s.w.u.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/logout', DELETE]
12:13:37.716 [qtp114109618-22] DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Request 'GET /api/strategies/BenchmarkAlgos/experiment-set/list' doesn't match 'DELETE /logout
12:13:37.716 [qtp114109618-21] DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Request 'GET /api/strategies/BenchmarkAlgos/layouts' doesn't match 'DELETE /logout
12:13:37.716 [qtp114109618-22] DEBUG o.s.s.w.u.matcher.OrRequestMatcher - No matches found
12:13:37.716 [qtp114109618-21] DEBUG o.s.s.w.u.matcher.OrRequestMatcher - No matches found
12:13:37.716 [qtp114109618-22] DEBUG o.s.security.web.FilterChainProxy - /api/strategies/BenchmarkAlgos/experiment-set/list at position 5 of 11 in additional filter chain; firing Filter: 'OAuth2AuthenticationProcessingFilter'
12:13:37.716 [qtp114109618-21] DEBUG o.s.security.web.FilterChainProxy - /api/strategies/BenchmarkAlgos/layouts at position 5 of 11 in additional filter chain; firing Filter: 'OAuth2AuthenticationProcessingFilter'
12:13:37.730 [qtp114109618-22] DEBUG o.s.s.o.p.a.OAuth2AuthenticationProcessingFilter - Authentication success: org.springframework.security.oauth2.provider.OAuth2Authentication@5ba6fe75: Principal: mycompany.wbbt.authentication.UserContext@6f65e0ba; Credentials: [PROTECTED]; Authenticated: true; Details: remoteAddress=127.0.0.1, tokenType=bearertokenValue=<TOKEN>; Granted Authorities: {authority=ROLE_ADMINISTRATOR}
12:13:37.730 [qtp114109618-21] DEBUG o.s.s.o.p.a.OAuth2AuthenticationProcessingFilter - Authentication success: org.springframework.security.oauth2.provider.OAuth2Authentication@5ba6fe75: Principal: mycompany.wbbt.authentication.UserContext@6f65e0ba; Credentials: [PROTECTED]; Authenticated: true; Details: remoteAddress=127.0.0.1, tokenType=bearertokenValue=<TOKEN>; Granted Authorities: {authority=ROLE_ADMINISTRATOR}
12:13:37.730 [qtp114109618-22] DEBUG o.s.b.f.s.DefaultListableBeanFactory - Returning cached instance of singleton bean 'webSocketEventListener'
12:13:37.730 [qtp114109618-22] DEBUG o.s.b.f.s.DefaultListableBeanFactory - Returning cached instance of singleton bean 'delegatingApplicationListener'
12:13:37.730 [qtp114109618-22] DEBUG o.s.security.web.FilterChainProxy - /api/strategies/BenchmarkAlgos/experiment-set/list at position 6 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
12:13:37.730 [qtp114109618-22] DEBUG o.s.security.web.FilterChainProxy - /api/strategies/BenchmarkAlgos/experiment-set/list at position 7 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
12:13:37.732 [qtp114109618-21] DEBUG o.s.security.web.FilterChainProxy - /api/strategies/BenchmarkAlgos/layouts at position 6 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
12:13:37.732 [qtp114109618-21] DEBUG o.s.security.web.FilterChainProxy - /api/strategies/BenchmarkAlgos/layouts at position 7 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
12:13:37.732 [qtp114109618-21] DEBUG o.s.security.web.FilterChainProxy - /api/strategies/BenchmarkAlgos/layouts at position 8 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
12:13:37.732 [qtp114109618-22] DEBUG o.s.security.web.FilterChainProxy - /api/strategies/BenchmarkAlgos/experiment-set/list at position 8 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
12:13:37.732 [qtp114109618-21] DEBUG o.s.s.w.a.AnonymousAuthenticationFilter - SecurityContextHolder not populated with anonymous token, as it already contained: 'org.springframework.security.oauth2.provider.OAuth2Authentication@5ba6fe75: Principal: mycompany.wbbt.authentication.UserContext@6f65e0ba; Credentials: [PROTECTED]; Authenticated: true; Details: remoteAddress=127.0.0.1, tokenType=bearertokenValue=<TOKEN>; Granted Authorities: {authority=ROLE_ADMINISTRATOR}'
12:13:37.732 [qtp114109618-22] DEBUG o.s.s.w.a.AnonymousAuthenticationFilter - SecurityContextHolder not populated with anonymous token, as it already contained: 'org.springframework.security.oauth2.provider.OAuth2Authentication@5ba6fe75: Principal: mycompany.wbbt.authentication.UserContext@6f65e0ba; Credentials: [PROTECTED]; Authenticated: true; Details: remoteAddress=127.0.0.1, tokenType=bearertokenValue=<TOKEN>; Granted Authorities: {authority=ROLE_ADMINISTRATOR}'
12:13:37.732 [qtp114109618-21] DEBUG o.s.security.web.FilterChainProxy - /api/strategies/BenchmarkAlgos/layouts at position 9 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter'
12:13:37.732 [qtp114109618-22] DEBUG o.s.security.web.FilterChainProxy - /api/strategies/BenchmarkAlgos/experiment-set/list at position 9 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter'
12:13:37.732 [qtp114109618-22] DEBUG o.s.s.w.a.s.CompositeSessionAuthenticationStrategy - Delegating to org.springframework.security.web.authentication.session.ChangeSessionIdAuthenticationStrategy@4349f52c
12:13:37.732 [qtp114109618-21] DEBUG o.s.s.w.a.s.CompositeSessionAuthenticationStrategy - Delegating to org.springframework.security.web.authentication.session.ChangeSessionIdAuthenticationStrategy@4349f52c
12:13:37.732 [qtp114109618-21] DEBUG o.s.security.web.FilterChainProxy - /api/strategies/BenchmarkAlgos/layouts at position 10 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
12:13:37.732 [qtp114109618-22] DEBUG o.s.security.web.FilterChainProxy - /api/strategies/BenchmarkAlgos/experiment-set/list at position 10 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
12:13:37.732 [qtp114109618-21] DEBUG o.s.security.web.FilterChainProxy - /api/strategies/BenchmarkAlgos/layouts at position 11 of 11 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
12:13:37.732 [qtp114109618-22] DEBUG o.s.security.web.FilterChainProxy - /api/strategies/BenchmarkAlgos/experiment-set/list at position 11 of 11 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
12:13:37.733 [qtp114109618-21] DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/api/strategies/BenchmarkAlgos/layouts'; against '/api/**'
12:13:37.733 [qtp114109618-22] DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/api/strategies/BenchmarkAlgos/experiment-set/list'; against '/api/**'
12:13:37.733 [qtp114109618-21] DEBUG o.s.s.w.a.i.FilterSecurityInterceptor - Secure object: FilterInvocation: URL: /api/strategies/BenchmarkAlgos/layouts; Attributes: [#oauth2.throwOnError(#oauth2.hasScope('trust'))]
12:13:37.733 [qtp114109618-22] DEBUG o.s.s.w.a.i.FilterSecurityInterceptor - Secure object: FilterInvocation: URL: /api/strategies/BenchmarkAlgos/experiment-set/list; Attributes: [#oauth2.throwOnError(#oauth2.hasScope('trust'))]
12:13:37.733 [qtp114109618-21] DEBUG o.s.s.w.a.i.FilterSecurityInterceptor - Previously Authenticated: org.springframework.security.oauth2.provider.OAuth2Authentication@5ba6fe75: Principal: mycompany.wbbt.authentication.UserContext@6f65e0ba; Credentials: [PROTECTED]; Authenticated: true; Details: remoteAddress=127.0.0.1, tokenType=bearertokenValue=<TOKEN>; Granted Authorities: {authority=ROLE_ADMINISTRATOR}
12:13:37.733 [qtp114109618-22] DEBUG o.s.s.w.a.i.FilterSecurityInterceptor - Previously Authenticated: org.springframework.security.oauth2.provider.OAuth2Authentication@5ba6fe75: Principal: mycompany.wbbt.authentication.UserContext@6f65e0ba; Credentials: [PROTECTED]; Authenticated: true; Details: remoteAddress=127.0.0.1, tokenType=bearertokenValue=<TOKEN>; Granted Authorities: {authority=ROLE_ADMINISTRATOR}
12:13:37.738 [qtp114109618-22] DEBUG o.s.s.access.vote.AffirmativeBased - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@a26c51a, returned: 1
12:13:37.738 [qtp114109618-21] DEBUG o.s.s.access.vote.AffirmativeBased - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@a26c51a, returned: 1
12:13:37.738 [qtp114109618-22] DEBUG o.s.s.w.a.i.FilterSecurityInterceptor - Authorization successful
12:13:37.738 [qtp114109618-21] DEBUG o.s.s.w.a.i.FilterSecurityInterceptor - Authorization successful
12:13:37.738 [qtp114109618-22] DEBUG o.s.s.w.a.i.FilterSecurityInterceptor - RunAsManager did not change Authentication object
12:13:37.738 [qtp114109618-21] DEBUG o.s.s.w.a.i.FilterSecurityInterceptor - RunAsManager did not change Authentication object
12:13:37.739 [qtp114109618-22] DEBUG o.s.security.web.FilterChainProxy - /api/strategies/BenchmarkAlgos/experiment-set/list reached end of additional filter chain; proceeding with original chain
12:13:37.739 [qtp114109618-22] DEBUG o.e.jetty.servlet.ServletHandler - call filter Jetty_WebSocketUpgradeFilter
12:13:37.739 [qtp114109618-21] DEBUG o.s.security.web.FilterChainProxy - /api/strategies/BenchmarkAlgos/layouts reached end of additional filter chain; proceeding with original chain
12:13:37.739 [qtp114109618-21] DEBUG o.e.jetty.servlet.ServletHandler - call filter Jetty_WebSocketUpgradeFilter
12:13:37.739 [qtp114109618-22] DEBUG o.e.jetty.servlet.ServletHandler - call servlet dispatcherServlet@7ef5559e==org.springframework.web.servlet.DispatcherServlet,jsp=null,order=-1,inst=true
12:13:37.739 [qtp114109618-21] DEBUG o.e.jetty.servlet.ServletHandler - call servlet dispatcherServlet@7ef5559e==org.springframework.web.servlet.DispatcherServlet,jsp=null,order=-1,inst=true
12:13:37.740 [qtp114109618-21] DEBUG o.s.web.servlet.DispatcherServlet - DispatcherServlet with name 'dispatcherServlet' processing GET request for [/api/strategies/BenchmarkAlgos/layouts]
12:13:37.740 [qtp114109618-22] DEBUG o.s.web.servlet.DispatcherServlet - DispatcherServlet with name 'dispatcherServlet' processing GET request for [/api/strategies/BenchmarkAlgos/experiment-set/list]
12:13:37.743 [qtp114109618-21] DEBUG o.s.w.s.m.m.a.RequestMappingHandlerMapping - Looking up handler method for path /api/strategies/BenchmarkAlgos/layouts
12:13:37.743 [qtp114109618-22] DEBUG o.s.w.s.m.m.a.RequestMappingHandlerMapping - Looking up handler method for path /api/strategies/BenchmarkAlgos/experiment-set/list
12:13:37.753 [qtp114109618-21] DEBUG o.s.w.s.m.m.a.RequestMappingHandlerMapping - Returning handler method [public java.util.List<mycompany.wbbt.strategy.data.Manifest> mycompany.wbbt.controllers.StrategiesController.getLayoutManifests(java.lang.String,java.security.Principal) throws java.io.IOException]
12:13:37.753 [qtp114109618-21] DEBUG o.s.b.f.s.DefaultListableBeanFactory - Returning cached instance of singleton bean 'strategiesController'
12:13:37.753 [qtp114109618-22] DEBUG o.s.w.s.m.m.a.RequestMappingHandlerMapping - Returning handler method [public java.util.List<mycompany.wbbt.strategy.dto.experiment.ExperimentSetDto> mycompany.wbbt.controllers.ExperimentSetResultsController.getExperimentSetListForUser(java.lang.String,java.security.Principal)]
12:13:37.754 [qtp114109618-22] DEBUG o.s.b.f.s.DefaultListableBeanFactory - Returning cached instance of singleton bean 'experimentSetResultsController'
12:13:37.754 [qtp114109618-21] DEBUG o.s.web.servlet.DispatcherServlet - Last-Modified value for [/api/strategies/BenchmarkAlgos/layouts] is: -1
12:13:37.754 [qtp114109618-22] DEBUG o.s.web.servlet.DispatcherServlet - Last-Modified value for [/api/strategies/BenchmarkAlgos/experiment-set/list] is: -1
12:13:37.754 [qtp114109618-22] DEBUG o.s.o.j.s.OpenEntityManagerInViewInterceptor - Opening JPA EntityManager in OpenEntityManagerInViewInterceptor
12:13:37.754 [qtp114109618-21] DEBUG o.s.o.j.s.OpenEntityManagerInViewInterceptor - Opening JPA EntityManager in OpenEntityManagerInViewInterceptor
OK, I've got it.
I was using the wrong place for hasAuthority
checks. I put those to
public class WebSecurityConfig extends WebSecurityConfigurerAdapter
while the proper place was
protected static class ResourceServerConfiguration extends ResourceServerConfigurerAdapter
This works as expected:
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth, WbbtAuthenticationProvider authenticationProvider) throws Exception {
auth.authenticationProvider(authenticationProvider);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.exceptionHandling()
.authenticationEntryPoint((request, response, authException) -> response.sendError(HttpServletResponse.SC_UNAUTHORIZED));
}
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/api/users/register/**");
}
}
@Configuration
@EnableResourceServer
protected static class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {
@Override
public void configure(ResourceServerSecurityConfigurer resources) {
resources
.resourceId("web");
}
@Override
public void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/api/**").access("hasAuthority('ROLE_USER')")
.anyRequest().fullyAuthenticated();
}
}