Hey everyone,
I’m using Auth0 for the first time for my master’s thesis. I’m developing a classic web application with frontend and backend, but I’m having some issues with the back.
I’m trying to protect the access to the back’s API through Auth0, and everything seems to work great except for the GET requests: they’re getting through somehow. I’ll leave some code/screenshots bellow to illustrate the issue.
//SecurityConfig.java
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Value("${auth0.audience}")
private String audience;
@Value("${spring.security.oauth2.resourceserver.jwt.issuer-uri}")
private String issuer;
@Bean
JwtDecoder jwtDecoder() {
NimbusJwtDecoder jwtDecoder = (NimbusJwtDecoder)
JwtDecoders.fromOidcIssuerLocation(issuer);
OAuth2TokenValidator<Jwt> audienceValidator = new AudienceValidator(audience);
OAuth2TokenValidator<Jwt> withIssuer = JwtValidators.createDefaultWithIssuer(issuer);
OAuth2TokenValidator<Jwt> withAudience = new DelegatingOAuth2TokenValidator<>(withIssuer, audienceValidator);
jwtDecoder.setJwtValidator(withAudience);
return jwtDecoder;
}
@Override
public void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.mvcMatchers("/").permitAll()
.mvcMatchers("/user").authenticated()
.and().oauth2ResourceServer().jwt();
}
}
//AudienceValidator.java
class AudienceValidator implements OAuth2TokenValidator<Jwt> {
private final String audience;
AudienceValidator(String audience) {
this.audience = audience;
}
public OAuth2TokenValidatorResult validate(Jwt jwt) {
OAuth2Error error = new OAuth2Error("invalid_token", "The required audience is missing", null);
if (jwt.getAudience().contains(audience)) {
return OAuth2TokenValidatorResult.success();
}
return OAuth2TokenValidatorResult.failure(error);
}
}
//UserController.java
@RestController
@RequestMapping("/user")
public class UserController {
@Resource(name = "userServiceImpl")
private UserServiceImpl userService;
@GetMapping("/{id}")
public UserDTO getUser(@PathVariable long id) {
return userService.getUserById(id);
}
@PostMapping
public UserDTO saveUser(@RequestBody UserDTO userDTO) {
return userService.saveUser(userDTO);
}
@DeleteMapping("/{id}")
public boolean deleteUser(@PathVariable long id) {
return userService.deleteUserById(id);
}
}
SaveUser without token
SaveUser with token
GetUser without token
DeleteUser behaves exactly as SaveUser
Like I said, this is my first time using Auth0 so if there is anything I left behind don’t hesitate to ask for it. Any help is well received.
Thanks!