Spring Boot Security Hell

Currently I am building some web app. The problem is that I have a login method dedicated for anyone to use:

@PostMapping("/login")
public @NotNull ResponseEntity<@Nullable String> requestNormalLogin(@NotNull @RequestBody UserLoginModel model)
{
    throw new ResponseStatusException(HttpStatus.FAILED_DEPENDENCY);
    /*log.info("The server has recognized an incoming normal login request login name {}.", model.loginName());
    return getService().requestLogin(model).map((token) ->
    {
        String jwt = token.jwt();
        return ResponseEntity.ok(jwt);
    }).orElseThrow(this::unauthorizedThrowable);*/
}

@PostMapping("/login")
public @NotNull ResponseEntity<@Nullable String> requestNormalLogin(@NotNull @RequestBody UserLoginModel model)
{
    throw new ResponseStatusException(HttpStatus.FAILED_DEPENDENCY);
    /*log.info("The server has recognized an incoming normal login request login name {}.", model.loginName());
    return getService().requestLogin(model).map((token) ->
    {
        String jwt = token.jwt();
        return ResponseEntity.ok(jwt);
    }).orElseThrow(this::unauthorizedThrowable);*/
}

As it can be seen I've directly told it to throw FAILED_DEPENDENCY (just as a test), because my security config:

csrf.addFilterBefore(jwtFilter, clazz).authorizeHttpRequests(auth ->
{
    auth.requestMatchers(HttpMethod.POST, "/api/v1/user/login").anonymous();
    auth.requestMatchers(HttpMethod.GET,"/api/v1/user/logout").permitAll();
    auth.anyRequest().authenticated();
});

csrf.addFilterBefore(jwtFilter, clazz).authorizeHttpRequests(auth ->
{
    auth.requestMatchers(HttpMethod.POST, "/api/v1/user/login").anonymous();
    auth.requestMatchers(HttpMethod.GET,"/api/v1/user/logout").permitAll();
    auth.anyRequest().authenticated();
});

always makes it return 403 when an exception occurred. No matter what exception is thrown, it answers with a 403 when using the endpoint "/api/v1/user/login". When no error is thrown it works, so I don't know what is going on...

Spring Boot Security Hell

Currently I am building some web app. The problem is that I have a login method dedicated for anyone to use:

@PostMapping("/login")
public @NotNull ResponseEntity<@Nullable String> requestNormalLogin(@NotNull @RequestBody UserLoginModel model)
{
    throw new ResponseStatusException(HttpStatus.FAILED_DEPENDENCY);
    /*log.info("The server has recognized an incoming normal login request login name {}.", model.loginName());
    return getService().requestLogin(model).map((token) ->
    {
        String jwt = token.jwt();
        return ResponseEntity.ok(jwt);
    }).orElseThrow(this::unauthorizedThrowable);*/
}

@PostMapping("/login")
public @NotNull ResponseEntity<@Nullable String> requestNormalLogin(@NotNull @RequestBody UserLoginModel model)
{
    throw new ResponseStatusException(HttpStatus.FAILED_DEPENDENCY);
    /*log.info("The server has recognized an incoming normal login request login name {}.", model.loginName());
    return getService().requestLogin(model).map((token) ->
    {
        String jwt = token.jwt();
        return ResponseEntity.ok(jwt);
    }).orElseThrow(this::unauthorizedThrowable);*/
}

As it can be seen I've directly told it to throw FAILED_DEPENDENCY (just as a test), because my security config:

csrf.addFilterBefore(jwtFilter, clazz).authorizeHttpRequests(auth ->
{
    auth.requestMatchers(HttpMethod.POST, "/api/v1/user/login").anonymous();
    auth.requestMatchers(HttpMethod.GET,"/api/v1/user/logout").permitAll();
    auth.anyRequest().authenticated();
});

csrf.addFilterBefore(jwtFilter, clazz).authorizeHttpRequests(auth ->
{
    auth.requestMatchers(HttpMethod.POST, "/api/v1/user/login").anonymous();
    auth.requestMatchers(HttpMethod.GET,"/api/v1/user/logout").permitAll();
    auth.anyRequest().authenticated();
});

Spring Boot Security Hell

Similar Threads

Spring Boot Security Hell

Similar Threads

Similar Threads

Similar Threads