Java Security Bug

Hi everyone,

Im using this tutorial https://auth0.com/docs/quickstart/backend/java-spring-security
to protect my rest-api with auth, and call the services from angular, but I have a strange bug, because when my call si a “put” or “post” the java application validate the access_token, but when my call is a get the services dont try to validate the access_token

This is my security config:

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

@Value("${auth0.audience}")
private String audience;

@Value("${spring.security.oauth2.resourceserver.jwt.issuer-uri}")
private String issuer;

@Override
public void configure(HttpSecurity http) throws Exception {

	http.authorizeRequests().mvcMatchers("**/public/**").permitAll().mvcMatchers("/my_proyect_name/**").authenticated()
			.and().cors().and().oauth2ResourceServer().jwt();
}

@Bean
JwtDecoder jwtDecoder() {

	NimbusJwtDecoder jwtDecoder = (NimbusJwtDecoder) JwtDecoders.fromOidcIssuerLocation(issuer);

	OAuth2TokenValidator<Jwt> audienceValidator = new AudienceValidator(audience);
	OAuth2TokenValidator<Jwt> withIssuer = JwtValidators.createDefaultWithIssuer(issuer);
	OAuth2TokenValidator<Jwt> withAudience = new DelegatingOAuth2TokenValidator<>(withIssuer, audienceValidator);

	jwtDecoder.setJwtValidator(withAudience);

	return jwtDecoder;
}

}

And this is my services controller:

@RestController
@CrossOrigin(origins = “*”)
@RequestMapping(path = “empresa”, produces = MediaType.APPLICATION_JSON_VALUE)
public class EmpresaController {

@Autowired
EmpresaServiceImpl empresaService;

@PostMapping(value = "/crear")
public ResponseEntity<Empresa> crearEmpresa() {
	try {
		Empresa _empresa = empresaService.crear();
		return new ResponseEntity<>(_empresa, HttpStatus.CREATED);
	} catch (Exception e) {
		return new ResponseEntity<>(null, HttpStatus.INTERNAL_SERVER_ERROR);
	}
}

@PutMapping(value = "/actualizar/{id}")
public ResponseEntity<Empresa> actualizarEmpresa(@PathVariable Long id) {
	try {
		Empresa e = empresaService.buscarPorId(id);
		Empresa _empresa = empresaService.editarEmpresa(e);
		return new ResponseEntity<>(_empresa, HttpStatus.CREATED);
	} catch (Exception e) {
		return new ResponseEntity<>(null, HttpStatus.INTERNAL_SERVER_ERROR);
	}
}

@GetMapping(value = "/buscar/{id}")
public ResponseEntity<Empresa> buscar(@PathVariable Long id) {
	try {
		Empresa _empresa = empresaService.buscarPorId(id);
		return new ResponseEntity<>(_empresa, HttpStatus.CREATED);
	} catch (Exception e) {
		return new ResponseEntity<>(null, HttpStatus.INTERNAL_SERVER_ERROR);
	}
}

Thanks for your help!

UPDATE
The problem was in my application.properties
It had the property server.servlet.context-path: / my_proyect_name and AUTH0 recognizes from that PATH

My solution was:

@Override
public void configure(HttpSecurity http) throws Exception {
    http.authorizeRequests()
            .mvcMatchers("/public/**").permitAll()
            .mvcMatchers("/private/**").authenticated()
            .mvcMatchers("/private-scoped/**").hasAuthority("SCOPE_read:messages")
            .and().cors()
            .and().oauth2ResourceServer().jwt();
}

and in my controller, something like that

@RestController
@CrossOrigin(origins = “*”)
@RequestMapping(path = “private/empresa”, produces = MediaType.APPLICATION_JSON_VALUE)

Sharing the solution down here from the user:

The problem was in my application.properties
It had the property server.servlet.context-path: / my_proyect_name and AUTH0 recognizes from that PATH

My solution was:

@Override
public void configure(HttpSecurity http) throws Exception {
    http.authorizeRequests()
            .mvcMatchers("/public/**").permitAll()
            .mvcMatchers("/private/**").authenticated()
            .mvcMatchers("/private-scoped/**").hasAuthority("SCOPE_read:messages")
            .and().cors()
            .and().oauth2ResourceServer().jwt();
}

and in my controller, something like that

@RestController
@CrossOrigin(origins = “*”)
@RequestMapping(path = “private/empresa”, produces = MediaType.APPLICATION_JSON_VALUE)

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.