Hi everyone,
Im using this tutorial Auth0 Spring Boot API SDK Quickstarts: Authorization
to protect my rest-api with auth, and call the services from angular, but I have a strange bug, because when my call si a “put” or “post” the java application validate the access_token, but when my call is a get the services dont try to validate the access_token
This is my security config:
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Value("${auth0.audience}")
private String audience;
@Value("${spring.security.oauth2.resourceserver.jwt.issuer-uri}")
private String issuer;
@Override
public void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().mvcMatchers("**/public/**").permitAll().mvcMatchers("/my_proyect_name/**").authenticated()
.and().cors().and().oauth2ResourceServer().jwt();
}
@Bean
JwtDecoder jwtDecoder() {
NimbusJwtDecoder jwtDecoder = (NimbusJwtDecoder) JwtDecoders.fromOidcIssuerLocation(issuer);
OAuth2TokenValidator<Jwt> audienceValidator = new AudienceValidator(audience);
OAuth2TokenValidator<Jwt> withIssuer = JwtValidators.createDefaultWithIssuer(issuer);
OAuth2TokenValidator<Jwt> withAudience = new DelegatingOAuth2TokenValidator<>(withIssuer, audienceValidator);
jwtDecoder.setJwtValidator(withAudience);
return jwtDecoder;
}
}
And this is my services controller:
@RestController
@CrossOrigin(origins = “*”)
@RequestMapping(path = “empresa”, produces = MediaType.APPLICATION_JSON_VALUE)
public class EmpresaController {
@Autowired
EmpresaServiceImpl empresaService;
@PostMapping(value = "/crear")
public ResponseEntity<Empresa> crearEmpresa() {
try {
Empresa _empresa = empresaService.crear();
return new ResponseEntity<>(_empresa, HttpStatus.CREATED);
} catch (Exception e) {
return new ResponseEntity<>(null, HttpStatus.INTERNAL_SERVER_ERROR);
}
}
@PutMapping(value = "/actualizar/{id}")
public ResponseEntity<Empresa> actualizarEmpresa(@PathVariable Long id) {
try {
Empresa e = empresaService.buscarPorId(id);
Empresa _empresa = empresaService.editarEmpresa(e);
return new ResponseEntity<>(_empresa, HttpStatus.CREATED);
} catch (Exception e) {
return new ResponseEntity<>(null, HttpStatus.INTERNAL_SERVER_ERROR);
}
}
@GetMapping(value = "/buscar/{id}")
public ResponseEntity<Empresa> buscar(@PathVariable Long id) {
try {
Empresa _empresa = empresaService.buscarPorId(id);
return new ResponseEntity<>(_empresa, HttpStatus.CREATED);
} catch (Exception e) {
return new ResponseEntity<>(null, HttpStatus.INTERNAL_SERVER_ERROR);
}
}
Thanks for your help!
UPDATE
The problem was in my application.properties
It had the property server.servlet.context-path: / my_proyect_name and AUTH0 recognizes from that PATH
My solution was:
@Override
public void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.mvcMatchers("/public/**").permitAll()
.mvcMatchers("/private/**").authenticated()
.mvcMatchers("/private-scoped/**").hasAuthority("SCOPE_read:messages")
.and().cors()
.and().oauth2ResourceServer().jwt();
}
and in my controller, something like that
@RestController
@CrossOrigin(origins = “*”)
@RequestMapping(path = “private/empresa”, produces = MediaType.APPLICATION_JSON_VALUE)