Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Spring Security Configuraion Issue : Permit All Not working #14011

Closed
dv0892 opened this issue Oct 13, 2023 · 14 comments
Closed

Spring Security Configuraion Issue : Permit All Not working #14011

dv0892 opened this issue Oct 13, 2023 · 14 comments
Assignees
@marcusdacoregio
Labels
in: config An issue in spring-security-config status: invalid An issue that we don't feel is valid type: bug A general bug

Comments

@dv0892
Copy link

dv0892 commented Oct 13, 2023
edited by marcusdacoregio
Loading

I am configuring a bean of type SecurityFilterChain in a very simple spring boot application with jsp .

URI's like / or /welcome should be accessible by anyone

But URI /authenticate or any other request should require authentication

Here is Security Config

@Bean
	public SecurityFilterChain filterChain( HttpSecurity http , MvcRequestMatcher.Builder mvc) throws Exception {		
            http.csrf(AbstractHttpConfigurer::disable)
		.authorizeHttpRequests(auth -> 
			auth.requestMatchers(mvc.pattern("/"),mvc.pattern("/welcome")).permitAll()
			.anyRequest().authenticated()
			)
		.formLogin(Customizer.withDefaults())
		.httpBasic(Customizer.withDefaults());

		return http.build();
	}

But it is asking me to login to every URI pattern including / and /welcome.

I have attached my sample repository on which I am facing this issue
https://github.com/dv0892/Security-Sample/tree/master

Seems like permitAll() is not working.
Please let me know if anything else is required
@dv0892 dv0892 added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Oct 13, 2023
@chipbk10
Copy link

I got the same issue

@marcusdacoregio
Copy link
Contributor

Hi, @dv0892. Have you enabled TRACE logging to check where the authentication error is happening? Have you enabled the FORWARD dispatcher type?

@marcusdacoregio marcusdacoregio added the status: waiting-for-feedback We need additional information before we can continue label Oct 16, 2023
@chipbk10
Copy link

yes. Please look at the simple code below. You can reproduce it easily.

@Configuration
@EnableWebSecurity
public class SecurityConfig {

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        return http
                .csrf(CsrfConfigurer::disable)
                .authorizeHttpRequests(requests -> requests
                        .requestMatchers("/home").permitAll()
                )
                .formLogin(withDefaults())
                .build();
    }
}

@Controller
public class AuthController {
    @GetMapping("/home")
    public String home() {
        return "Home Page";
    }
}

@spring-projects-issues spring-projects-issues added status: feedback-provided Feedback has been provided and removed status: waiting-for-feedback We need additional information before we can continue labels Oct 17, 2023
@marcusdacoregio
Copy link
Contributor

I don't see you allowing FORWARD and neither you provided any logs that can help to know what is happening. Please, try what I recommended, and, if you really believe that there is a bug in Spring Security, please create a minimal, reproducible sample and write your findings.

@marcusdacoregio marcusdacoregio added status: waiting-for-feedback We need additional information before we can continue and removed status: waiting-for-triage An issue we've not yet triaged status: feedback-provided Feedback has been provided labels Oct 17, 2023
@chipbk10
Copy link

@dv0892 has created a sample project that can reproduce this issue: https://github.com/dv0892/Security-Sample/tree/master

Can you provide the code to do the FORWARD like you mention? Thanks

@spring-projects-issues spring-projects-issues added status: feedback-provided Feedback has been provided and removed status: waiting-for-feedback We need additional information before we can continue labels Oct 17, 2023
@chipbk10
Copy link

Even I have enabled the FORWARD Dispatcher Type, it's still not working. Enter localhost:8080/home, it still asks for login:

@Configuration
@EnableWebSecurity
public class SecurityConfig {

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        return http
                .csrf(CsrfConfigurer::disable)
                .authorizeHttpRequests(requests -> requests
                        .dispatcherTypeMatchers(DispatcherType.FORWARD, DispatcherType.ERROR).permitAll()
                        .requestMatchers("/home").permitAll()
                        .anyRequest().denyAll()
                )

                .formLogin(withDefaults())
                .build();
    }
}

@Controller
public class AuthController {
    @GetMapping("/home")
    public String home() {
        return "Home Page";
    }
}

@xtyuns
Copy link

xtyuns commented Oct 22, 2023

I am configuring a bean of type SecurityFilterChain in a very simple spring boot application with jsp .

URI's like / or /welcome should be accessible by anyone

But URI /authenticate or any other request should require authentication

Here is Security Config

@Bean
	public SecurityFilterChain filterChain( HttpSecurity http , MvcRequestMatcher.Builder mvc) throws Exception {		
            http.csrf(AbstractHttpConfigurer::disable)
		.authorizeHttpRequests(auth -> 
			auth.requestMatchers(mvc.pattern("/"),mvc.pattern("/welcome")).permitAll()
			.anyRequest().authenticated()
			)
		.formLogin(Customizer.withDefaults())
		.httpBasic(Customizer.withDefaults());

		return http.build();
	}

But it is asking me to login to every URI pattern including / and /welcome.

I have attached my sample repository on which I am facing this issue https://github.com/dv0892/Security-Sample/tree/master

Seems like permitAll() is not working. Please let me know if anything else is required

I think it's not a good idea to mix springboot and jsp together.This is also the main problem in this issue besides forward.

@chipbk10
Copy link

Finally, I found the solution here: https://stackoverflow.com/questions/77331852/how-do-i-set-a-home-page-can-be-opened-by-anyone-in-spring-security

The problem is that my application file is not placed at the root package.

@marcusdacoregio marcusdacoregio self-assigned this Oct 23, 2023
@marcusdacoregio marcusdacoregio added in: config An issue in spring-security-config and removed status: feedback-provided Feedback has been provided labels Oct 23, 2023
@marcusdacoregio
Copy link
Contributor

marcusdacoregio commented Oct 27, 2023
edited
Loading

Hi, @dv0892. Your configuration should look like this:

@Bean
public SecurityFilterChain filterChain( HttpSecurity http , MvcRequestMatcher.Builder mvc) throws Exception {
	http.csrf(AbstractHttpConfigurer::disable)
	.authorizeHttpRequests(auth ->
		auth
				.dispatcherTypeMatchers(DispatcherType.FORWARD).permitAll()
				.requestMatchers(mvc.pattern("/"), mvc.pattern("/welcome")).permitAll()
				.anyRequest().authenticated()
		)
	.formLogin(Customizer.withDefaults())
	.httpBasic(Customizer.withDefaults());

	return http.build();
}

@Scope("prototype")
@Bean
MvcRequestMatcher.Builder mvc(HandlerMappingIntrospector introspector) {
	return new MvcRequestMatcher.Builder(introspector);
}

Note that I removed the servletPath("/") from the MvcRequestMatcher.Builder bean since you want to match the default servlet instead of one mapped under /. It seems a bit weird because the error message when not using the MVC request matcher says:

This is because there is more than one mappable servlet in your servlet context: {org.apache.jasper.servlet.JspServlet=[*.jspx, *.jsp], org.springframework.web.servlet.DispatcherServlet=[/]}.

In 6.2, that behavior has been fixed by #13850 where you can use .requestMatchers("/", "/welcome"). I'll check with @jzheaux whether that issue should be back-ported.

Then, you must allow DispatcherType.FORWARD because Spring MVC will forward the request to /WEB-INF/views/welcome.jsp.

I'll close this since this is a configuration issue and not a bug, however I'll keep this updated if we can somehow improve the misleading error message.

@marcusdacoregio marcusdacoregio added the status: invalid An issue that we don't feel is valid label Oct 27, 2023
@marcusdacoregio
Copy link
Contributor

#13850 has been backported via #14078

@PavelBortnovskyi
Copy link

PavelBortnovskyi commented Mar 6, 2024
edited
Loading

I am facing the same issue. Cannot access any of permitAll endpoints. My Security configuration:

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity httpSec) throws Exception {

                httpSec.csrf(AbstractHttpConfigurer::disable)
                .authorizeHttpRequests(auth -> auth
                        .dispatcherTypeMatchers(DispatcherType.FORWARD).permitAll()
                        .requestMatchers("/api/v1/auth/login").permitAll()
                        .requestMatchers("/api/v1/auth/register").permitAll()
                        .requestMatchers("/swagger-ui/**").permitAll()
                        .requestMatchers("/swagger-resources/**").permitAll()
                        .requestMatchers("/webjars/**").permitAll()
                        .requestMatchers("/v2/api-docs").permitAll()
                        .anyRequest().authenticated())
                        .httpBasic(Customizer.withDefaults())
                        .sessionManagement(httpSecuritySessionManagementConfigurer ->
                                httpSecuritySessionManagementConfigurer.sessionCreationPolicy(SessionCreationPolicy.STATELESS));

        //JWT token authentication
        httpSec.addFilterBefore(jwtAuthFilter, UsernamePasswordAuthenticationFilter.class);

        //Filter for interception of JwtAuthenticationException from jwtAuthFilter
        httpSec.addFilterBefore(filterExceptionHandler, JwtAuthFilter.class);

        return httpSec.build();
    }

TRACE log:

2024-03-06T17:07:06.378Z DEBUG 15416 --- [nio-8080-exec-2] s.w.a.DelegatingAuthenticationEntryPoint : Trying to match using RequestHeaderRequestMatcher [expectedHeaderName=X-Requested-With, expectedHeaderValue=XMLHttpRequest]
2024-03-06T17:07:06.378Z DEBUG 15416 --- [nio-8080-exec-2] s.w.a.DelegatingAuthenticationEntryPoint : No match found. Using default entry point org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint@5251a246
2024-03-06T17:07:37.899Z TRACE 15416 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Trying to match request against DefaultSecurityFilterChain [RequestMatcher=any request, Filters=[org.springframework.security.web.session.DisableEncodeUrlFilter@d4e88cd, org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@401b7d95, org.springframework.security.web.context.SecurityContextHolderFilter@599521a8, org.springframework.security.web.header.HeaderWriterFilter@20ff6d2e, org.springframework.web.filter.CorsFilter@2529c7be, org.springframework.security.web.authentication.logout.LogoutFilter@6ec592dd, com.neo.mongocachetest.exceptions.FilterExceptionHandler@17abfbb, com.neo.mongocachetest.security.JwtAuthFilter@19ebd88c, org.springframework.security.web.authentication.www.BasicAuthenticationFilter@6d81cf40, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@21db3fcc, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@44610383, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@1de42d5b, org.springframework.security.web.session.SessionManagementFilter@3704cf67, org.springframework.security.web.access.ExceptionTranslationFilter@3337da04, org.springframework.security.web.access.intercept.AuthorizationFilter@243c9e9e]] (1/1)
2024-03-06T17:07:37.899Z DEBUG 15416 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Securing GET /swagger-ui/index.html
2024-03-06T17:07:37.899Z TRACE 15416 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Invoking DisableEncodeUrlFilter (1/15)
2024-03-06T17:07:37.899Z TRACE 15416 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Invoking WebAsyncManagerIntegrationFilter (2/15)
2024-03-06T17:07:37.899Z TRACE 15416 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Invoking SecurityContextHolderFilter (3/15)
2024-03-06T17:07:37.899Z TRACE 15416 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Invoking HeaderWriterFilter (4/15)
2024-03-06T17:07:37.899Z TRACE 15416 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Invoking CorsFilter (5/15)
2024-03-06T17:07:37.899Z TRACE 15416 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Invoking LogoutFilter (6/15)
2024-03-06T17:07:37.899Z TRACE 15416 --- [nio-8080-exec-1] o.s.s.w.a.logout.LogoutFilter : Did not match request to Or [Ant [pattern='/logout', GET], Ant [pattern='/logout', POST], Ant [pattern='/logout', PUT], Ant [pattern='/logout', DELETE]]
2024-03-06T17:07:37.899Z TRACE 15416 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Invoking FilterExceptionHandler (7/15)
2024-03-06T17:07:37.899Z TRACE 15416 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Invoking JwtAuthFilter (8/15)
2024-03-06T17:07:37.899Z TRACE 15416 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Invoking BasicAuthenticationFilter (9/15)
2024-03-06T17:07:37.899Z TRACE 15416 --- [nio-8080-exec-1] o.s.s.w.a.www.BasicAuthenticationFilter : Did not process authentication request since failed to find username and password in Basic Authorization header
2024-03-06T17:07:37.899Z TRACE 15416 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Invoking RequestCacheAwareFilter (10/15)
2024-03-06T17:07:37.899Z TRACE 15416 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Invoking SecurityContextHolderAwareRequestFilter (11/15)
2024-03-06T17:07:37.899Z TRACE 15416 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Invoking AnonymousAuthenticationFilter (12/15)
2024-03-06T17:07:37.899Z TRACE 15416 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Invoking SessionManagementFilter (13/15)
2024-03-06T17:07:37.899Z TRACE 15416 --- [nio-8080-exec-1] .s.s.w.c.SupplierDeferredSecurityContext : Created SecurityContextImpl [Null authentication]
2024-03-06T17:07:37.899Z TRACE 15416 --- [nio-8080-exec-1] o.s.s.w.a.AnonymousAuthenticationFilter : Set SecurityContextHolder to AnonymousAuthenticationToken [Principal=anonymousUser, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=127.0.0.1, SessionId=null], Granted Authorities=[ROLE_ANONYMOUS]]
2024-03-06T17:07:37.899Z DEBUG 15416 --- [nio-8080-exec-1] o.s.s.w.session.SessionManagementFilter : Request requested invalid session id ECB3065A5FFBD200FF920E6C0A1B8DCD
2024-03-06T17:07:37.899Z TRACE 15416 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Invoking ExceptionTranslationFilter (14/15)
2024-03-06T17:07:37.899Z TRACE 15416 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Invoking AuthorizationFilter (15/15)
2024-03-06T17:07:37.899Z TRACE 15416 --- [nio-8080-exec-1] estMatcherDelegatingAuthorizationManager : Authorizing SecurityContextHolderAwareRequestWrapper[ org.springframework.security.web.header.HeaderWriterFilter$HeaderWriterRequest@41209d0e]
2024-03-06T17:07:37.899Z TRACE 15416 --- [nio-8080-exec-1] estMatcherDelegatingAuthorizationManager : Checking authorization on SecurityContextHolderAwareRequestWrapper[ org.springframework.security.web.header.HeaderWriterFilter$HeaderWriterRequest@41209d0e] using org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer$$Lambda/0x000001a81465bb40@427f9bc8
2024-03-06T17:07:37.899Z DEBUG 15416 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Secured GET /swagger-ui/index.html
2024-03-06T17:07:37.901Z TRACE 15416 --- [nio-8080-exec-1] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match request to [Is Secure]
2024-03-06T17:07:37.901Z TRACE 15416 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Trying to match request against DefaultSecurityFilterChain [RequestMatcher=any request, Filters=[org.springframework.security.web.session.DisableEncodeUrlFilter@d4e88cd, org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@401b7d95, org.springframework.security.web.context.SecurityContextHolderFilter@599521a8, org.springframework.security.web.header.HeaderWriterFilter@20ff6d2e, org.springframework.web.filter.CorsFilter@2529c7be, org.springframework.security.web.authentication.logout.LogoutFilter@6ec592dd, com.neo.mongocachetest.exceptions.FilterExceptionHandler@17abfbb, com.neo.mongocachetest.security.JwtAuthFilter@19ebd88c, org.springframework.security.web.authentication.www.BasicAuthenticationFilter@6d81cf40, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@21db3fcc, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@44610383, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@1de42d5b, org.springframework.security.web.session.SessionManagementFilter@3704cf67, org.springframework.security.web.access.ExceptionTranslationFilter@3337da04, org.springframework.security.web.access.intercept.AuthorizationFilter@243c9e9e]] (1/1)
2024-03-06T17:07:37.901Z DEBUG 15416 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Securing GET /error
2024-03-06T17:07:37.901Z TRACE 15416 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Invoking DisableEncodeUrlFilter (1/15)
2024-03-06T17:07:37.901Z TRACE 15416 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Invoking WebAsyncManagerIntegrationFilter (2/15)
2024-03-06T17:07:37.901Z TRACE 15416 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Invoking SecurityContextHolderFilter (3/15)
2024-03-06T17:07:37.901Z TRACE 15416 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Invoking HeaderWriterFilter (4/15)
2024-03-06T17:07:37.901Z TRACE 15416 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Invoking CorsFilter (5/15)
2024-03-06T17:07:37.901Z TRACE 15416 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Invoking LogoutFilter (6/15)
2024-03-06T17:07:37.901Z TRACE 15416 --- [nio-8080-exec-1] o.s.s.w.a.logout.LogoutFilter : Did not match request to Or [Ant [pattern='/logout', GET], Ant [pattern='/logout', POST], Ant [pattern='/logout', PUT], Ant [pattern='/logout', DELETE]]
2024-03-06T17:07:37.901Z TRACE 15416 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Invoking FilterExceptionHandler (7/15)
2024-03-06T17:07:37.901Z TRACE 15416 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Invoking JwtAuthFilter (8/15)
2024-03-06T17:07:37.901Z TRACE 15416 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Invoking BasicAuthenticationFilter (9/15)
2024-03-06T17:07:37.901Z TRACE 15416 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Invoking RequestCacheAwareFilter (10/15)
2024-03-06T17:07:37.901Z TRACE 15416 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Invoking SecurityContextHolderAwareRequestFilter (11/15)
2024-03-06T17:07:37.901Z TRACE 15416 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Invoking AnonymousAuthenticationFilter (12/15)
2024-03-06T17:07:37.901Z TRACE 15416 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Invoking SessionManagementFilter (13/15)
2024-03-06T17:07:37.901Z TRACE 15416 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Invoking ExceptionTranslationFilter (14/15)
2024-03-06T17:07:37.901Z TRACE 15416 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Invoking AuthorizationFilter (15/15)
2024-03-06T17:07:37.901Z TRACE 15416 --- [nio-8080-exec-1] estMatcherDelegatingAuthorizationManager : Authorizing SecurityContextHolderAwareRequestWrapper[ FirewalledRequest[ org.apache.catalina.core.ApplicationHttpRequest@45b80f8a]]
2024-03-06T17:07:37.901Z TRACE 15416 --- [nio-8080-exec-1] estMatcherDelegatingAuthorizationManager : Checking authorization on SecurityContextHolderAwareRequestWrapper[ FirewalledRequest[ org.apache.catalina.core.ApplicationHttpRequest@45b80f8a]] using org.springframework.security.authorization.AuthenticatedAuthorizationManager@38b96bce
2024-03-06T17:07:37.901Z TRACE 15416 --- [nio-8080-exec-1] .s.s.w.c.SupplierDeferredSecurityContext : Created SecurityContextImpl [Null authentication]
2024-03-06T17:07:37.901Z TRACE 15416 --- [nio-8080-exec-1] o.s.s.w.a.AnonymousAuthenticationFilter : Set SecurityContextHolder to AnonymousAuthenticationToken [Principal=anonymousUser, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=127.0.0.1, SessionId=null], Granted Authorities=[ROLE_ANONYMOUS]]
2024-03-06T17:07:37.901Z TRACE 15416 --- [nio-8080-exec-1] o.s.s.w.a.ExceptionTranslationFilter : Sending AnonymousAuthenticationToken [Principal=anonymousUser, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=127.0.0.1, SessionId=null], Granted Authorities=[ROLE_ANONYMOUS]] to authentication entry point since access is denied

org.springframework.security.access.AccessDeniedException: Access Denied
at org.springframework.security.web.access.intercept.AuthorizationFilter.doFilter(AuthorizationFilter.java:98) ~[spring-security-web-6.2.2.jar:6.2.2]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.2.2.jar:6.2.2]
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:126) ~[spring-security-web-6.2.2.jar:6.2.2]
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:120) ~[spring-security-web-6.2.2.jar:6.2.2]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.2.2.jar:6.2.2]
at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:91) ~[spring-security-web-6.2.2.jar:6.2.2]
at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:85) ~[spring-security-web-6.2.2.jar:6.2.2]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.2.2.jar:6.2.2]
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:100) ~[spring-security-web-6.2.2.jar:6.2.2]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.2.2.jar:6.2.2]
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:179) ~[spring-security-web-6.2.2.jar:6.2.2]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.2.2.jar:6.2.2]
at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63) ~[spring-security-web-6.2.2.jar:6.2.2]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.2.2.jar:6.2.2]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101) ~[spring-web-6.1.4.jar:6.1.4]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.2.2.jar:6.2.2]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101) ~[spring-web-6.1.4.jar:6.1.4]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.2.2.jar:6.2.2]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101) ~[spring-web-6.1.4.jar:6.1.4]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.2.2.jar:6.2.2]
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:107) ~[spring-security-web-6.2.2.jar:6.2.2]
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:93) ~[spring-security-web-6.2.2.jar:6.2.2]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.2.2.jar:6.2.2]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101) ~[spring-web-6.1.4.jar:6.1.4]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.2.2.jar:6.2.2]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101) ~[spring-web-6.1.4.jar:6.1.4]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.2.2.jar:6.2.2]
at org.springframework.security.web.context.SecurityContextHolderFilter.doFilter(SecurityContextHolderFilter.java:82) ~[spring-security-web-6.2.2.jar:6.2.2]
at org.springframework.security.web.context.SecurityContextHolderFilter.doFilter(SecurityContextHolderFilter.java:69) ~[spring-security-web-6.2.2.jar:6.2.2]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.2.2.jar:6.2.2]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101) ~[spring-web-6.1.4.jar:6.1.4]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.2.2.jar:6.2.2]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101) ~[spring-web-6.1.4.jar:6.1.4]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.2.2.jar:6.2.2]
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:233) ~[spring-security-web-6.2.2.jar:6.2.2]
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:191) ~[spring-security-web-6.2.2.jar:6.2.2]
at org.springframework.web.filter.CompositeFilter$VirtualFilterChain.doFilter(CompositeFilter.java:113) ~[spring-web-6.1.4.jar:6.1.4]
at org.springframework.web.servlet.handler.HandlerMappingIntrospector.lambda$createCacheFilter$3(HandlerMappingIntrospector.java:195) ~[spring-webmvc-6.1.4.jar:6.1.4]
at org.springframework.web.filter.CompositeFilter$VirtualFilterChain.doFilter(CompositeFilter.java:113) ~[spring-web-6.1.4.jar:6.1.4]
at org.springframework.web.filter.CompositeFilter.doFilter(CompositeFilter.java:74) ~[spring-web-6.1.4.jar:6.1.4]
at org.springframework.security.config.annotation.web.configuration.WebMvcSecurityConfiguration$CompositeFilterChainProxy.doFilter(WebMvcSecurityConfiguration.java:230) ~[spring-security-config-6.2.2.jar:6.2.2]
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:352) ~[spring-web-6.1.4.jar:6.1.4]
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:268) ~[spring-web-6.1.4.jar:6.1.4]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174) ~[tomcat-embed-core-10.1.19.jar:10.1.19]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) ~[tomcat-embed-core-10.1.19.jar:10.1.19]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101) ~[spring-web-6.1.4.jar:6.1.4]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174) ~[tomcat-embed-core-10.1.19.jar:10.1.19]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) ~[tomcat-embed-core-10.1.19.jar:10.1.19]
at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:642) ~[tomcat-embed-core-10.1.19.jar:10.1.19]
at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:410) ~[tomcat-embed-core-10.1.19.jar:10.1.19]
at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:340) ~[tomcat-embed-core-10.1.19.jar:10.1.19]
at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:277) ~[tomcat-embed-core-10.1.19.jar:10.1.19]
at org.apache.catalina.core.StandardHostValve.custom(StandardHostValve.java:362) ~[tomcat-embed-core-10.1.19.jar:10.1.19]
at org.apache.catalina.core.StandardHostValve.status(StandardHostValve.java:222) ~[tomcat-embed-core-10.1.19.jar:10.1.19]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:151) ~[tomcat-embed-core-10.1.19.jar:10.1.19]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93) ~[tomcat-embed-core-10.1.19.jar:10.1.19]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) ~[tomcat-embed-core-10.1.19.jar:10.1.19]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344) ~[tomcat-embed-core-10.1.19.jar:10.1.19]
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:391) ~[tomcat-embed-core-10.1.19.jar:10.1.19]
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63) ~[tomcat-embed-core-10.1.19.jar:10.1.19]
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:896) ~[tomcat-embed-core-10.1.19.jar:10.1.19]
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1744) ~[tomcat-embed-core-10.1.19.jar:10.1.19]
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52) ~[tomcat-embed-core-10.1.19.jar:10.1.19]
at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191) ~[tomcat-embed-core-10.1.19.jar:10.1.19]
at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) ~[tomcat-embed-core-10.1.19.jar:10.1.19]
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:63) ~[tomcat-embed-core-10.1.19.jar:10.1.19]
at java.base/java.lang.Thread.run(Thread.java:1583) ~[na:na]

@fanciz1227 fanciz1227 mentioned this issue May 4, 2024
Closed
@drakgoku
Copy link

drakgoku commented Jul 23, 2024
edited
Loading

I have the same problem. There is a specific type of configuration that causes the error to occur.
This is like searching for a pin in a field of straw.
I would ask you to reopen the thread.

Although if it remains closed it is less work to do. This option sounds better.

By the way, with error 999. Like looking for a pin.

@baiglin
Copy link

baiglin commented Aug 7, 2024
edited
Loading

@drakgoku Maybe check responses in #10587

@Vishal-Bala907
Copy link

I got the same problem with this code
security.authorizeHttpRequests((req) -> req.requestMatchers("/").permitAll() .requestMatchers("/user/**").hasAnyRole("ADMIN", "USER").anyRequest().authenticated()) .csrf(csrf -> csrf.disable()).formLogin(Customizer.withDefaults()); return security.build();

then i just added the

.dispatcherTypeMatchers(DispatcherType.FORWARD, DispatcherType.ERROR).permitAll()
line, and after that my problem was solved.

security.authorizeHttpRequests((req) -> req.requestMatchers("/").permitAll() .dispatcherTypeMatchers(DispatcherType.FORWARD, DispatcherType.ERROR).permitAll() .requestMatchers("/user/").hasAnyRole("ADMIN", "USER").anyRequest().authenticated()) .csrf(csrf -> csrf.disable()).formLogin(Customizer.withDefaults());

Another solution is, add the spring security dependency when you are creating the project not after creating the project

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@marcusdacoregio marcusdacoregio

Labels
in: config An issue in spring-security-config status: invalid An issue that we don't feel is valid type: bug A general bug
Projects
Spring Security Team
Status: No status
Milestone
No milestone
Development

No branches or pull requests
9 participants
@chipbk10 @drakgoku @marcusdacoregio @spring-projects-issues @xtyuns @baiglin @dv0892 @PavelBortnovskyi @Vishal-Bala907