Deprecated example, All of the site is protected, not just the API.

[magwas]

The following had some problems:

http.authorizeRequests()
                .mvcMatchers("/api/public").permitAll()
                .mvcMatchers("/api/private").authenticated()
                .mvcMatchers("/api/private-scoped").hasAuthority("SCOPE_read:messages")
                .and().cors()
                .and().oauth2ResourceServer().jwt();

authorizeRequests is deprecated,
mvcMatchers is undefined.

Relevant parts of pom.xml:

	<parent>
		<groupId>org.springframework.boot</groupId>
		<artifactId>spring-boot-starter-parent</artifactId>
		<version>3.0.2</version>
	</parent>

    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
    </dependency>

Now my SecurityConfig looks like below. No kidding. jwtDecoder commented out, and all-permitting filterchain. I even deleted AudienceValidator. I am running the server with jetty. All of the urls are 401 by default, and work as expected if I add the Authorization header as described here: https://auth0.com/docs/quickstart/backend/java-spring-security5/02-using

I could have code or config left from earlier tries, however I made every effort not to, and triple-checked all places suspect. (everything WEB-INF or resources, files ending in xml)

package com.kodekonveyor;

import org.slf4j.Logger;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.web.SecurityFilterChain;

@EnableWebSecurity
public class SecurityConfig {

	@Value("${auth0.audience}")
	private String audience;

	@Value("${spring.security.oauth2.resourceserver.jwt.issuer-uri}")
	private String issuer;

	@Autowired
	Logger logger;

	/*
		@Bean
		JwtDecoder jwtDecoder() {
			logger.info("jwtDecoder");
			NimbusJwtDecoder jwtDecoder = (NimbusJwtDecoder) JwtDecoders
					.fromOidcIssuerLocation(issuer);
	
			OAuth2TokenValidator<Jwt> audienceValidator = new AudienceValidator(
					audience);
			OAuth2TokenValidator<Jwt> withIssuer = JwtValidators
					.createDefaultWithIssuer(issuer);
			OAuth2TokenValidator<Jwt> withAudience = new DelegatingOAuth2TokenValidator<>(
					withIssuer, audienceValidator);
	
			jwtDecoder.setJwtValidator(withAudience);
	
			return jwtDecoder;
		}
	*/
	@Bean
	public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
		http.authorizeHttpRequests().anyRequest().permitAll();
		/*
		http.authorizeHttpRequests()
				.requestMatchers("/api/**").permitAll();
		  .requestMatchers("/private").
		  hasAuthority(
		  "SCOPE_read:messages")
		  .and().cors()
		  .and().oauth2ResourceServer()
		  .jwt();
		 */
		return http.build();

	}
}

[magwas]

I am using 2.7.1 as the spring-boot-starter-parent version and adding this:

    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-web</artifactId>
        <exclusions>
            <exclusion>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-starter-tomcat</artifactId>
            </exclusion>
        </exclusions>
    </dependency>

The filterchain is built like this:

		http
				.authorizeHttpRequests(
						authz -> authz.antMatchers(HttpMethod.GET, "/heroes")
								.hasAuthority("SCOPE_read:current_user")
								.anyRequest().permitAll())
				.oauth2ResourceServer(oauth2 -> oauth2.jwt());

Now it works as intended for static content at / and the service at /heroes.

I have a POST service at /hero/add. That is still denied by CORS, which I understand is probably because my filterchain is not properly configured.

Still, how can I get it to work with the latest spring version?

[jimmyjames]

👋 hi @magwas, thanks for raising this. The authorizeRequests method was deprecated in Spring Security 5.8, I believe. Currently the sample uses Spring Security 5.7 through the Spring Boot 2 POM, but I am looking into how this sample and authz will work with Spring Security 6. Which raises the question:

Still, how can I get it to work with the latest spring version?

Are you referring to Spring Boot 2 latest or Spring Boot 3 latest? I'll have more info soon about Spring Boot 3, but for Spring Boot 2 you should be able to use authorizeHttpRequest and requestMatcher instead of mvcMatcher to avoid deprecated method usage. Spring Boot 3 will require some additional updates, which I'll follow-up on shortly.

With regards to the whole site being protected, it looks like you solved this by adding the anyRequest().permitAll() last in the configured security, correct? That seems correct to me.

[jimmyjames]

Let's move the Spring Boot 3 / Spring Security 6 discussion to #25