Skip to content

Regression: ServerHttpSecurity ignore calls to permitAll() starting with 6.0.0-M7 #12074

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
magnus-larsson opened this issue Oct 22, 2022 · 2 comments
Closed

Regression: ServerHttpSecurity ignore calls to permitAll() starting with 6.0.0-M7 #12074

magnus-larsson opened this issue Oct 22, 2022 · 2 comments
Assignees
@marcusdacoregio
Labels
in: config An issue in spring-security-config status: invalid An issue that we don't feel is valid

Comments

@magnus-larsson
Copy link

Describe the bug
Starting with Spring Security 6.0.0-M7 (used by Spring Boot 3.0.0-M5), calls to permitAll() when configuring ServerHttpSecurity seem to be ignored.

I'm working on preparing a Spring Boot 2.7-based application for Spring Boot 3.
When upgrading from Spring Boot 3.0.0-M4 to 3.0.0-M5, I started to get 401 on APIs that are configured to not require any authorization. The problem remains in Spring Boot 3.0.0-RC1.

To Reproduce

  1. Unzip the attached sample code.

  2. Build and start the server with: ./gradlew clean test bootRun

  3. Run the following three curl commands:

    curl localhost:8080/actuator/health -w ", %{http_code}\n"
curl localhost:8080/api/open -w ", %{http_code}\n"
curl localhost:8080/api/protected -w "%{http_code}\n"

    Expect them to return:

    {"status":"UP"}, 200
{"result":"open"}, 200
401

  4. Change the Spring Boot version in the file build.gradle to 3.0.0-M5 or 3.0.0-RC1

  5. Repeat steps 2 and 3. The responses from the curl commands will now be:

    , 401
, 401
401

Expected behavior

That the APIs configured to "permit-all" (/actuator/health and /api/open) do not return 401.

Sample
product-composite-service.zip

The Security configuration looks like:

@EnableWebFluxSecurity
public class SecurityConfig {

  @Bean
  SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
    http
      .authorizeExchange()
        .pathMatchers("/actuator/**").permitAll()
        .pathMatchers("/api/open").permitAll()
        .anyExchange().authenticated()
        .and()
      .oauth2ResourceServer()
        .jwt();
    return http.build();
  }
}
@magnus-larsson magnus-larsson added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Oct 22, 2022
@marcusdacoregio marcusdacoregio removed the status: waiting-for-triage An issue we've not yet triaged label Oct 24, 2022
@marcusdacoregio marcusdacoregio self-assigned this Oct 24, 2022
@marcusdacoregio marcusdacoregio added the in: config An issue in spring-security-config label Oct 24, 2022
@marcusdacoregio
Copy link
Contributor

Hi @magnus-larsson, thanks for the report.

This is related to #11653.
Now, in addition to @EnableWebFluxSecurity, you also have to add @Configuration to the class in order to make Spring pick it up and define its beans. If you don't add the annotation, Spring Boot will add the default security and all the endpoints will be protected, resulting in 401 for your endpoints.

@marcusdacoregio marcusdacoregio added status: invalid An issue that we don't feel is valid and removed type: bug A general bug labels Oct 24, 2022
@magnus-larsson
Copy link
Author

Hello @marcusdacoregio and thanks for pointing out this breaking change!

It was clearly pointed out in the release notes: https://github.com/spring-projects/spring-security/releases/tag/6.0.0-M7

Next time, I'll read them through more carefully before submitting a bug report :-)

jzheaux pushed a commit that referenced this issue Dec 2, 2022
@PatrickWalter214 @jzheaux
Add configurable authorities split regex
9c9fd9f 
Before this commit splitting the authorities claim was done by a
hardcoded regex " ". This commit allows to configure to set any regex
to split the authorities claim while keeping the previously
hardcoded regex as a default.

Closes gh-12074
jzheaux added a commit that referenced this issue Dec 2, 2022
@jzheaux
Polish authorities claim delimiter
cd0f02d 
PR gh-12074
@jzheaux jzheaux reopened this Dec 2, 2022
@jzheaux jzheaux closed this as completed Dec 2, 2022
@jzheaux jzheaux mentioned this issue Dec 2, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@marcusdacoregio marcusdacoregio

Labels
in: config An issue in spring-security-config status: invalid An issue that we don't feel is valid
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@magnus-larsson @jzheaux @marcusdacoregio