Spring Leave a comment

Spring-security 6 – 403 denied because AuthenticationProvider not called

Issue

I’ve recently upgraded a project from using spring-security 6.0.0-M6 to 6.0.0, gradle config if you want to see it.
This project does not use spring-boot.

Context

My securityFilterChain is configured via code and looks approximately like this:

http.
  authenticationManager(authnManager).
  securityContext().securityContextRepository(securityRepo).
and().
  authorizeRequests(). // <-- DEPRECATED
    requestMatchers(RAID_V2_API + "/**").fullyAuthenticated().

The full codebase, starting with the FilterChain config, is publicly available.

Note that usage of WebSecurityConfigurerAdapter is deprecated, and I have not been using it since the original usage of 6.0.0-M6. So calling stuff like WebSecurityConfigurerAdapter.authenticationManagerBean() won’t work.

This code works fine, but the call to authorizeRequests() causes a deprecation warning that I want to get rid of.

Problem

The deprecation tag says that I should use authorizeHttpRequests() instead, but when I do that – requests that require authorization (via the fullyAuthenticated() specification above) will be denied with a 403 error.

Analysis

It seems this happens because my AuthenticationProvider instances aren’t being called,
because the ProviderManager isn’t being called. Since the AuthnProviders don’t get called, the security context still contains the pre-auth token instead of a verified post-auth token, so the eventual call to AuthorizationStrategy.isGranted() ends up calling isAuthenticated() on the pre-auth token, which (correctly) returns false and the request is denied.

Question

How do I use the authorizeHttpRequests() method but still have the ProviderManager be called so that my security config works?

My workaround is just to ignore the deprecation warning.

Solution

First, your security configuration does not specify any kind of authentication, like httpBasic, formLogin, etc. The AuthenticationManager is invoked by the filters created by those authentication mechanisms in order to authenticate credentials.

Second, the application is probably unwittingly relying on FilterSecurityInterceptor (authorizeRequests) to authenticate the user, which is not supported with authorizeHttpRequests. You need to declare an auth mechanism that collects credentials from the request and authenticates the user.

Because you are using JWT, you might want to consider Spring Security’s OAuth2 Resource Server support. You can also refer to our samples repository in order to help you with sample configurations.

Answered By – Marcus Hert da Coregio

This Answer collected from stackoverflow, is licensed under cc by-sa 2.5 , cc by-sa 3.0 and cc by-sa 4.0

Leave a Reply

(*) Required, Your email will not be published