Protected API allows GET requests through

Hey everyone,

I’m using Auth0 for the first time for my master’s thesis. I’m developing a classic web application with frontend and backend, but I’m having some issues with the back.

I’m trying to protect the access to the back’s API through Auth0, and everything seems to work great except for the GET requests: they’re getting through somehow. I’ll leave some code/screenshots bellow to illustrate the issue.

//SecurityConfig.java
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Value("${auth0.audience}")
    private String audience;

    @Value("${spring.security.oauth2.resourceserver.jwt.issuer-uri}")
    private String issuer;

    @Bean
    JwtDecoder jwtDecoder() {
        NimbusJwtDecoder jwtDecoder = (NimbusJwtDecoder)
                JwtDecoders.fromOidcIssuerLocation(issuer);

        OAuth2TokenValidator<Jwt> audienceValidator = new AudienceValidator(audience);
        OAuth2TokenValidator<Jwt> withIssuer = JwtValidators.createDefaultWithIssuer(issuer);
        OAuth2TokenValidator<Jwt> withAudience = new DelegatingOAuth2TokenValidator<>(withIssuer, audienceValidator);

        jwtDecoder.setJwtValidator(withAudience);

        return jwtDecoder;
    }

    @Override
    public void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                .mvcMatchers("/").permitAll()
                .mvcMatchers("/user").authenticated()
                .and().oauth2ResourceServer().jwt();
    }
}
//AudienceValidator.java
class AudienceValidator  implements OAuth2TokenValidator<Jwt> {

    private final String audience;

    AudienceValidator(String audience) {
        this.audience = audience;
    }

    public OAuth2TokenValidatorResult validate(Jwt jwt) {
        OAuth2Error error = new OAuth2Error("invalid_token", "The required audience is missing", null);

        if (jwt.getAudience().contains(audience)) {
            return OAuth2TokenValidatorResult.success();
        }
        return OAuth2TokenValidatorResult.failure(error);
    }
}
//UserController.java
@RestController
@RequestMapping("/user")
public class UserController {

    @Resource(name = "userServiceImpl")
    private UserServiceImpl userService;

    @GetMapping("/{id}")
    public UserDTO getUser(@PathVariable long id) {
        return userService.getUserById(id);
    }

    @PostMapping
    public UserDTO saveUser(@RequestBody UserDTO userDTO) {
        return userService.saveUser(userDTO);
    }

    @DeleteMapping("/{id}")
    public boolean deleteUser(@PathVariable long id) {
        return userService.deleteUserById(id);
    }
}

SaveUser without token

SaveUser with token

GetUser without token

DeleteUser behaves exactly as SaveUser

Like I said, this is my first time using Auth0 so if there is anything I left behind don’t hesitate to ask for it. Any help is well received.

Thanks!

1 Like

Hi @samu-magaz,

Welcome to the Auth0 Community!

Sorry for the delay! I am not a Spring Security expert, but it looks like you will need an additional mvcMatchers property to cover the /users/* endpoint.

The docs for spring security provide an example as /admin/**.

Hope that helps and good luck with your thesis!