I’ve recently upgraded a project from using spring-security
6.0.0, gradle config if you want to see it.
This project does not use spring-boot.
securityFilterChain is configured via code and looks approximately like this:
http. authenticationManager(authnManager). securityContext().securityContextRepository(securityRepo). and(). authorizeRequests(). // <-- DEPRECATED requestMatchers(RAID_V2_API + "/**").fullyAuthenticated().
The full codebase, starting with the FilterChain config, is publicly available.
Note that usage of
WebSecurityConfigurerAdapter is deprecated, and I have not been using it since the original usage of
6.0.0-M6. So calling stuff like
WebSecurityConfigurerAdapter.authenticationManagerBean() won’t work.
This code works fine, but the call to
authorizeRequests() causes a deprecation warning that I want to get rid of.
The deprecation tag says that I should use
authorizeHttpRequests() instead, but when I do that – requests that require authorization (via the
fullyAuthenticated() specification above) will be denied with a 403 error.
It seems this happens because my
AuthenticationProvider instances aren’t being called,
ProviderManager isn’t being called. Since the AuthnProviders don’t get called, the security context still contains the pre-auth token instead of a verified post-auth token, so the eventual call to
AuthorizationStrategy.isGranted() ends up calling
isAuthenticated() on the pre-auth token, which (correctly) returns false and the request is denied.
How do I use the
authorizeHttpRequests() method but still have the
ProviderManager be called so that my security config works?
My workaround is just to ignore the deprecation warning.
First, your security configuration does not specify any kind of authentication, like
formLogin, etc. The
AuthenticationManager is invoked by the filters created by those authentication mechanisms in order to authenticate credentials.
Second, the application is probably unwittingly relying on
authorizeRequests) to authenticate the user, which is not supported with
authorizeHttpRequests. You need to declare an auth mechanism that collects credentials from the request and authenticates the user.
Because you are using JWT, you might want to consider Spring Security’s OAuth2 Resource Server support. You can also refer to our samples repository in order to help you with sample configurations.
Answered By – Marcus Hert da Coregio
This Answer collected from stackoverflow, is licensed under cc by-sa 2.5 , cc by-sa 3.0 and cc by-sa 4.0