Skip to content

java.lang.IllegalStateException: permitAll only works with HttpSecurity.authorizeRequests() #7870

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
akuma8 opened this issue Jan 28, 2020 · 8 comments
Closed

java.lang.IllegalStateException: permitAll only works with HttpSecurity.authorizeRequests() #7870

akuma8 opened this issue Jan 28, 2020 · 8 comments
Assignees
@jzheaux
Labels
for: stackoverflow A question that's better suited to stackoverflow.com in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose)

Comments

@akuma8
Copy link
Contributor

akuma8 commented Jan 28, 2020

Hi,
I am migrating from Spring Security OAuth to Keycloak but I have some issue that should not occured if we follow the DSL api provided by Spring Security.
I simply have this configuration :

@Configuration
@ComponentScan( basePackageClasses = KeycloakSecurityComponents.class )
@EnableWebSecurity( debug = true )
@Import( KeycloakSpringBootConfigResolver.class )
public class KeycloakSecurityConfigurerAdapter extends KeycloakWebSecurityConfigurerAdapter {

    @Autowired
    public void configureParent( AuthenticationManagerBuilder auth ) {

        SimpleAuthorityMapper grantedAuthorityMapper = new SimpleAuthorityMapper();
        grantedAuthorityMapper.setPrefix( "ROLE_" );
        grantedAuthorityMapper.setConvertToUpperCase( true );

        KeycloakAuthenticationProvider keycloakAuthenticationProvider = keycloakAuthenticationProvider();
        keycloakAuthenticationProvider.setGrantedAuthoritiesMapper( grantedAuthorityMapper );
        auth.authenticationProvider( keycloakAuthenticationProvider );
    }
}

I didn't override protected void configure( HttpSecurity http ) method and when I run my app this exception is thrown:

org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'springSecurityFilterChain' defined in class path resource [org/springframework/security/config/annotation/web/configuration/WebSecurityConfiguration.class]: Bean instantiation via factory method failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [javax.servlet.Filter]: Factory method 'springSecurityFilterChain' threw exception; nested exception is java.lang.IllegalStateException: permitAll only works with HttpSecurity.authorizeRequests()
	at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:656)
	at org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:484)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1338)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1177)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:557)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:517)
	at org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:323)
	at org.springframework.beans.factory.support.AbstractBeanFactory$$Lambda$330.00000000AC53CF60.getObject(Unknown Source)
	at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:222)
	at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:321)
	at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)
	at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:310)
	at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:879)
	at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:878)
	at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:550)
	at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.refresh(ServletWebServerApplicationContext.java:141)
Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [javax.servlet.Filter]: Factory method 'springSecurityFilterChain' threw exception; nested exception is java.lang.IllegalStateException: permitAll only works with HttpSecurity.authorizeRequests()
	at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:185)
	at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:651)

After turning arround a moment, it sounds like the configuration from keycloak cause that exception, here's the configuration of KeycloakWebSecurityConfigurerAdapter#configure(HttpSecurity http):

    @Override
    protected void configure(HttpSecurity http) throws Exception {

        http
                .csrf().requireCsrfProtectionMatcher(keycloakCsrfRequestMatcher())
                .and()
                .sessionManagement()
                .sessionAuthenticationStrategy(sessionAuthenticationStrategy())
                .and()
                .addFilterBefore(keycloakPreAuthActionsFilter(), LogoutFilter.class)
                .addFilterBefore(keycloakAuthenticationProcessingFilter(), LogoutFilter.class)
                .addFilterAfter(keycloakSecurityContextRequestFilter(), SecurityContextHolderAwareRequestFilter.class)
                .addFilterAfter(keycloakAuthenticatedActionsRequestFilter(), KeycloakSecurityContextRequestFilter.class)
                .exceptionHandling().authenticationEntryPoint(authenticationEntryPoint())
                .and()
                .logout()
                .addLogoutHandler(keycloakLogoutHandler())
                .logoutUrl("/sso/logout").permitAll()  // THE PROBLEM IS HERE 
                .logoutSuccessUrl("/");

What I don't understand is why .logoutUrl("/sso/logout").permitAll() throws an exception since the configuration DSL is planned to be used like that? I don't think the issue comes from Keycloak, they use the Api as provided by Spring Security.

To solve the problem I tried to override configure(HttpSecurity http) like this:

   @Override
    protected void configure( HttpSecurity http ) throws Exception {
        http.oauth2ResourceServer().opaqueToken();
    }

And I defined other filters:

@Configuration
@Order( 98 )
public class UIResourceProtection extends WebSecurityConfigurerAdapter {

    @Override
    public void configure( HttpSecurity http ) throws Exception {
        http.sessionManagement().sessionCreationPolicy( STATELESS );
        http.requestMatchers().antMatchers("/ui/resource/**" )
                .and()
                .cors().and()
                .authorizeRequests()
                .antMatchers( "/ui/resource/user" ).hasRole( "USER" );
   }
}

And

@Configuration
@Order( 99 )
public class SelfResourceProtection extends WebSecurityConfigurerAdapter {

    @Override
    public void configure( HttpSecurity http ) throws Exception {
        http.requestMatchers().antMatchers( "/self/**" )
                .and()
                .authorizeRequests()
                .antMatchers( HttpMethod.GET, "/self/update" ).hasRole( "ADMIN" )
                .antMatchers( HttpMethod.GET, "/self/accept").permitAll();
   }
}

And use token introspection:

spring:
  security:
    oauth2:
      resourceserver:
        opaquetoken:
          introspection-uri: "http://localhost:8180/auth/realms/app/protocol/openid-connect/token/introspect"
          client-id: my-service
          client-secret: secret

The application starts but I am getting a 403 Forbidden error. When I change the order of my custom filters to:

@Configuration
@Order( 101 )
public class UIResourceProtection extends WebSecurityConfigurerAdapter {...}

@Configuration
@Order( 102 )
public class SelfResourceProtection extends WebSecurityConfigurerAdapter {...}

Any security rules is applied.

What I would like is to define all Keycloak configurations in:

@Configuration
@ComponentScan( basePackageClasses = KeycloakSecurityComponents.class )
@EnableWebSecurity( debug = true )
@Import( KeycloakSpringBootConfigResolver.class )
public class KeycloakSecurityConfigurerAdapter extends KeycloakWebSecurityConfigurerAdapter {...}

without overriding the configure( HttpSecurity http ) then defining other classes extending WebSecurityConfigurerAdapter to declare http security rules. But with that exception I can't.
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Jan 28, 2020
@jzheaux jzheaux self-assigned this Jan 28, 2020
@jzheaux jzheaux added for: stackoverflow A question that's better suited to stackoverflow.com in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) and removed status: waiting-for-triage An issue we've not yet triaged labels Jan 28, 2020
@jzheaux
Copy link
Contributor

jzheaux commented Jan 28, 2020

@akuma8 sorry to hear about the difficulty you are having, thank you for reaching out.

I see that you had this same conversation with @eleftherias over on StackOverflow. It would probably be more appropriate to continue the conversation over there - I've added my own comment to Ria's answer about your question as to why permitAll requires authorizeRequests.

Btw, I'm wondering why you are using the Keycloak adapter in this case? Since Keycloak's authorization server is compliant with several OAuth 2.0 RFCs, I'd imagine that using Spring Security native would do the trick for you.

As far as I understand it, I've addressed your main question (over in StackOverflow), so I'm going to close this ticket. If you have further questions, please continue to post to StackOverflow as we usually have a team member watching out for questions there. If you have a bug or feature request, feel free to open another ticket.

@jzheaux jzheaux closed this as completed Jan 28, 2020
@jzheaux
Copy link
Contributor

jzheaux commented Jan 29, 2020

@akuma8 sorry, I might have been unclear. Please feel free to address my question

Btw, I'm wondering why you are using the Keycloak adapter in this case?

by adding a comment here in the issue, in order to make that conversation easier to follow for the community in the future.

@akuma8
Copy link
Contributor Author

akuma8 commented Jan 30, 2020
edited
Loading

@jzheaux I am currently considering using only Spring Security (S.S.) without the KC adapter with the advantage to not beeing tied to KC but I have other issues.
After returning back to the S.S. doc, I found this section https://docs.spring.io/spring-security/site/docs/5.2.1.RELEASE/reference/htmlsingle/#specifying-the-authorization-server-3

I reviewed my configurations and removed all KC concerns above all this class:

@Configuration
@ComponentScan( basePackageClasses = KeycloakSecurityComponents.class )
@EnableWebSecurity( debug = true )
@Import( KeycloakSpringBootConfigResolver.class )
public class KeycloakSecurityConfigurerAdapter extends KeycloakWebSecurityConfigurerAdapter {
    ...
}

As stated in the documentation, I only define this porperty on application.yml

spring:
  security:
    oauth2:
      resourceserver:
        jwt:
          issuer-uri: "http://localhost:8180/auth/realms/app" # uri of KC issuer

I still have my 2 filter chains:

@Configuration
@Order( 98 )
public class UIResourceProtection extends WebSecurityConfigurerAdapter {

    @Override
    public void configure( HttpSecurity http ) throws Exception {
        http.sessionManagement().sessionCreationPolicy( STATELESS );
        http.requestMatchers().antMatchers("/v1/ui/product/**" )
                .and()
                .cors().and()
                .authorizeRequests()
                .antMatchers( "/v1/ui/product/user" ).hasRole( "USER" );
   }
}

And

@Configuration
@Order( 99 )
public class SelfResourceProtection extends WebSecurityConfigurerAdapter {

    @Override
    public void configure( HttpSecurity http ) throws Exception {
        http.requestMatchers().antMatchers( "/self/**" )
                .and()
                .authorizeRequests()
                .antMatchers( HttpMethod.GET, "/self/update" ).hasRole( "ADMIN" )
                .antMatchers( HttpMethod.GET, "/self/accept").permitAll();
   }
}

To test, I ask my access token to KC with a user having the user role and send a POST request to http://localhost:8081/v1/ui/product/user but I always have a 403 Forbidden error.
From S.S. it seems like the user is never authenticated.
Exemple of logs:

2020-01-31 | 00:13:52.436 | 12100 |  INFO | [myservice,,, ROG] | http-nio-8081-exec-1 | o.a.c.c.C.[.[.[/] | Initializing Spring DispatcherServlet 'dispatcherServlet'
2020-01-31 | 00:13:52.436 | 12100 |  INFO | [myservice,,, ROG] | http-nio-8081-exec-1 | o.s.w.s.DispatcherServlet | Initializing Servlet 'dispatcherServlet'
2020-01-31 | 00:13:52.437 | 12100 | DEBUG | [myservice,,,ROG] | http-nio-8081-exec-1 | o.s.w.s.DispatcherServlet | Detected StandardServletMultipartResolver
2020-01-31 | 00:13:52.479 | 12100 | DEBUG | [myservice,,,ROG] | http-nio-8081-exec-1 | o.s.w.s.DispatcherServlet | enableLoggingRequestDetails='true': request parameters and headers will be shown which may lead to unsafe logging of potentially sensitive data
2020-01-31 | 00:13:52.479 | 12100 |  INFO | [myservice,,,ROG] | http-nio-8081-exec-1 | o.s.w.s.DispatcherServlet | Completed initialization in 43 ms
2020-01-31 | 00:13:52.511 | 12100 | DEBUG | [myservice,ee1ae6fcfe958705,21991d73e55b847d,ROG] | http-nio-8081-exec-1 | o.s.s.w.u.m.OrRequestMatcher | Trying to match using Ant [pattern='/v1/ui/product/**']
2020-01-31 | 00:13:52.512 | 12100 | DEBUG | [myservice,ee1ae6fcfe958705,21991d73e55b847d,ROG] | http-nio-8081-exec-1 | o.s.s.w.u.m.AntPathRequestMatcher | Checking match of request : '/v1/ui/product/private/user'; against '/v1/ui/product/**'
2020-01-31 | 00:13:52.512 | 12100 | DEBUG | [myservice,ee1ae6fcfe958705,21991d73e55b847dROG] | http-nio-8081-exec-1 | o.s.s.w.u.m.OrRequestMatcher | matched
2020-01-31 | 00:13:52.513 | 12100 | DEBUG | [myservice,ee1ae6fcfe958705,21991d73e55b847d,ROG] | http-nio-8081-exec-1 | o.s.s.web.FilterChainProxy | /v1/ui/product/private/user at position 1 of 12 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2020-01-31 | 00:13:52.516 | 12100 | DEBUG | [myservice,ee1ae6fcfe958705,21991d73e55b847dROG] | http-nio-8081-exec-1 | o.s.s.web.FilterChainProxy | /v1/ui/product/private/user at position 2 of 12 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2020-01-31 | 00:13:52.518 | 12100 | DEBUG | [myservice,ee1ae6fcfe958705,21991d73e55b847d,ROG] | http-nio-8081-exec-1 | o.s.s.web.FilterChainProxy | /v1/ui/product/private/user at position 3 of 12 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2020-01-31 | 00:13:52.528 | 12100 | DEBUG | [myservice,ee1ae6fcfe958705,21991d73e55b847d,ROG] | http-nio-8081-exec-1 | o.s.s.web.FilterChainProxy | /v1/ui/product/private/user at position 4 of 12 in additional filter chain; firing Filter: 'CorsFilter'
2020-01-31 | 00:13:52.535 | 12100 | DEBUG | [myservice,ee1ae6fcfe958705,21991d73e55b847d,ROG] | http-nio-8081-exec-1 | s.d.s.w.PropertySourcedRequestMappingHandlerMapping | looking up handler for path: /v1/ui/product/private/user
2020-01-31 | 00:13:52.545 | 12100 | DEBUG | [myservice,ee1ae6fcfe958705,21991d73e55b847dROG] | http-nio-8081-exec-1 | o.s.w.s.m.m.a.RequestMappingHandlerMapping | Mapped to com.app.product.web.controllers.ToUIController#privateProduct(SimplifiedProduct)
2020-01-31 | 00:13:52.552 | 12100 | DEBUG | [myservice,ee1ae6fcfe958705,21991d73e55b847d,ROG] | http-nio-8081-exec-1 | o.s.s.web.FilterChainProxy | /v1/ui/product/private/user at position 5 of 12 in additional filter chain; firing Filter: 'CsrfFilter'
2020-01-31 | 00:13:52.554 | 12100 | DEBUG | [myservice,ee1ae6fcfe958705,21991d73e55b847d,ROG] | http-nio-8081-exec-1 | o.s.s.web.csrf.CsrfFilter | Invalid CSRF token found for http://localhost:8081/v1/ui/product/private/user
2020-01-31 | 00:13:52.555 | 12100 | DEBUG | [myservice,ee1ae6fcfe958705,21991d73e55b847d,ROG] | http-nio-8081-exec-1 | o.s.s.w.h.w.HstsHeaderWriter | Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@a21e025
2020-01-31 | 00:13:52.555 | 12100 | DEBUG | [myservice,ee1ae6fcfe958705,21991d73e55b847d,ROG] | http-nio-8081-exec-1 | o.s.s.w.c.SecurityContextPersistenceFilter | SecurityContextHolder now cleared, as request processing completed
2020-01-31 | 00:13:52.568 | 12100 | DEBUG | [myservice,ee1ae6fcfe958705,21991d73e55b847d,ROG] | http-nio-8081-exec-1 | o.s.s.w.u.m.OrRequestMatcher | Trying to match using Ant [pattern='/v1/ui/product/**']
2020-01-31 | 00:13:52.568 | 12100 | DEBUG | [myservice,ee1ae6fcfe958705,21991d73e55b847d,ROG] | http-nio-8081-exec-1 | o.s.s.w.u.m.AntPathRequestMatcher | Checking match of request : '/error'; against '/v1/ui/product/**'
2020-01-31 | 00:13:52.568 | 12100 | DEBUG | [myservice,ee1ae6fcfe958705,21991d73e55b847d,ROG] | http-nio-8081-exec-1 | o.s.s.w.u.m.OrRequestMatcher | No matches found
2020-01-31 | 00:13:52.568 | 12100 | DEBUG | [myservice,ee1ae6fcfe958705,21991d73e55b847d,ROG] | http-nio-8081-exec-1 | o.s.s.w.u.m.OrRequestMatcher | Trying to match using Ant [pattern='/product/**']
2020-01-31 | 00:13:52.568 | 12100 | DEBUG | [myservice,ee1ae6fcfe958705,21991d73e55b847d,ROG] | http-nio-8081-exec-1 | o.s.s.w.u.m.AntPathRequestMatcher | Checking match of request : '/error'; against '/product/**'
2020-01-31 | 00:13:52.568 | 12100 | DEBUG | [myservice,ee1ae6fcfe958705,21991d73e55b847d,ROG] | http-nio-8081-exec-1 | o.s.s.w.u.m.OrRequestMatcher | No matches found
2020-01-31 | 00:13:52.568 | 12100 | DEBUG | [myservice,ee1ae6fcfe958705,21991d73e55b847d,ROG] | http-nio-8081-exec-1 | o.s.s.web.FilterChainProxy | /error has no matching filters
2020-01-31 | 00:13:52.575 | 12100 | DEBUG | [myservice,ee1ae6fcfe958705,21991d73e55b847d,ROG] | http-nio-8081-exec-1 | o.s.w.s.DispatcherServlet | "ERROR" dispatch for POST "/error", parameters={}
2020-01-31 | 00:13:52.579 | 12100 | DEBUG | [myservice,ee1ae6fcfe958705,21991d73e55b847d,ROG] | http-nio-8081-exec-1 | s.d.s.w.PropertySourcedRequestMappingHandlerMapping | looking up handler for path: /error
2020-01-31 | 00:13:52.584 | 12100 | DEBUG | [myservice,ee1ae6fcfe958705,21991d73e55b847d,ROG] | http-nio-8081-exec-1 | o.s.w.s.m.m.a.RequestMappingHandlerMapping | Mapped to org.springframework.boot.autoconfigure.web.servlet.error.BasicErrorController#error(HttpServletRequest)
2020-01-31 | 00:13:52.586 | 12100 | DEBUG | [myservice,ee1ae6fcfe958705,21991d73e55b847d,ROG] | http-nio-8081-exec-1 | o.s.o.j.s.OpenEntityManagerInViewInterceptor | Opening JPA EntityManager in OpenEntityManagerInViewInterceptor
2020-01-31 | 00:13:52.586 | 12100 | TRACE | [myservice,ee1ae6fcfe958705,21991d73e55b847d,ROG] | http-nio-8081-exec-1 | o.s.t.s.TransactionSynchronizationManager | Bound value [org.springframework.orm.jpa.EntityManagerHolder@ff10fd0] for key [org.springframework.orm.jpa.LocalContainerEntityManagerFactoryBean@cd089432] to thread [http-nio-8081-exec-1]
2020-01-31 | 00:13:52.641 | 12100 | DEBUG | [myservice,ee1ae6fcfe958705,21991d73e55b847d,ROG] | http-nio-8081-exec-1 | o.s.w.s.m.m.a.HttpEntityMethodProcessor | Using 'application/json', given [*/*] and supported [application/json, application/*+json, application/json, application/*+json]
2020-01-31 | 00:13:52.643 | 12100 | DEBUG | [myservice,ee1ae6fcfe958705,21991d73e55b847d,ROG] | http-nio-8081-exec-1 | o.s.w.s.m.m.a.HttpEntityMethodProcessor | Writing [{timestamp=Thu Jan 30 23:13:52 UTC 2020, status=403, error=Forbidden, message=Forbidden, path=/v1/ui (truncated)...]
2020-01-31 | 00:13:52.739 | 12100 | TRACE | [myservice,ee1ae6fcfe958705,21991d73e55b847d,ROG] | http-nio-8081-exec-1 | o.s.t.s.TransactionSynchronizationManager | Removed value [org.springframework.orm.jpa.EntityManagerHolder@ff10fd0] for key [org.springframework.orm.jpa.LocalContainerEntityManagerFactoryBean@cd089432] from thread [http-nio-8081-exec-1]
2020-01-31 | 00:13:52.739 | 12100 | DEBUG | [myservice,ee1ae6fcfe958705,21991d73e55b847d,ROG] | http-nio-8081-exec-1 | o.s.o.j.s.OpenEntityManagerInViewInterceptor | Closing JPA EntityManager in OpenEntityManagerInViewInterceptor
2020-01-31 | 00:13:52.740 | 12100 | DEBUG | [myservice,ee1ae6fcfe958705,21991d73e55b847d,ROG] | http-nio-8081-exec-1 | o.s.w.s.DispatcherServlet | Exiting from "ERROR" dispatch, status 403

When I disable csrf I still have 403 with these logs message:

2020-01-31 | 00:35:12.428 | 15744 |  INFO | [myservice,,,ROG] | http-nio-8081-exec-1 | o.a.c.c.C.[.[.[/] | Initializing Spring DispatcherServlet 'dispatcherServlet'
2020-01-31 | 00:35:12.432 | 15744 |  INFO | [myservice,,,ROG] | http-nio-8081-exec-1 | o.s.w.s.DispatcherServlet | Initializing Servlet 'dispatcherServlet'
2020-01-31 | 00:35:12.432 | 15744 | DEBUG | [myservice,,,ROG] | http-nio-8081-exec-1 | o.s.w.s.DispatcherServlet | Detected StandardServletMultipartResolver
2020-01-31 | 00:35:12.582 | 15744 | DEBUG | [myservice,,,ROG] | http-nio-8081-exec-1 | o.s.w.s.DispatcherServlet | enableLoggingRequestDetails='true': request parameters and headers will be shown which may lead to unsafe logging of potentially sensitive data
2020-01-31 | 00:35:12.582 | 15744 |  INFO | [myservice,,,ROG] | http-nio-8081-exec-1 | o.s.w.s.DispatcherServlet | Completed initialization in 150 ms
2020-01-31 | 00:35:12.619 | 15744 | DEBUG | [myservice,6cd1ecb828504cc0,0e8e5189daa2c747,ROG] | http-nio-8081-exec-1 | o.s.s.w.u.m.OrRequestMatcher | Trying to match using Ant [pattern='/v1/ui/product/**']
2020-01-31 | 00:35:12.619 | 15744 | DEBUG | [myservice,6cd1ecb828504cc0,0e8e5189daa2c747,ROG] | http-nio-8081-exec-1 | o.s.s.w.u.m.AntPathRequestMatcher | Checking match of request : '/v1/ui/product/private/user'; against '/v1/ui/product/**'
2020-01-31 | 00:35:12.619 | 15744 | DEBUG | [myservice,6cd1ecb828504cc0,0e8e5189daa2c747,ROG] | http-nio-8081-exec-1 | o.s.s.w.u.m.OrRequestMatcher | matched
2020-01-31 | 00:35:12.620 | 15744 | DEBUG | [myservice,6cd1ecb828504cc0,0e8e5189daa2c747,ROG] | http-nio-8081-exec-1 | o.s.s.web.FilterChainProxy | /v1/ui/product/private/user at position 1 of 11 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2020-01-31 | 00:35:12.623 | 15744 | DEBUG | [myservice,6cd1ecb828504cc0,0e8e5189daa2c747,ROG] | http-nio-8081-exec-1 | o.s.s.web.FilterChainProxy | /v1/ui/product/private/user at position 2 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2020-01-31 | 00:35:12.626 | 15744 | DEBUG | [myservice,6cd1ecb828504cc0,0e8e5189daa2c747,ROG] | http-nio-8081-exec-1 | o.s.s.web.FilterChainProxy | /v1/ui/product/private/user at position 3 of 11 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2020-01-31 | 00:35:12.629 | 15744 | DEBUG | [myservice,6cd1ecb828504cc0,0e8e5189daa2c747,ROG] | http-nio-8081-exec-1 | o.s.s.web.FilterChainProxy | /v1/ui/product/private/user at position 4 of 11 in additional filter chain; firing Filter: 'CorsFilter'
2020-01-31 | 00:35:12.633 | 15744 | DEBUG | [myservice,6cd1ecb828504cc0,0e8e5189daa2c747,ROG] | http-nio-8081-exec-1 | s.d.s.w.PropertySourcedRequestMappingHandlerMapping | looking up handler for path: /v1/ui/product/private/user
2020-01-31 | 00:35:12.639 | 15744 | DEBUG | [myservice,6cd1ecb828504cc0,0e8e5189daa2c747,ROG] | http-nio-8081-exec-1 | o.s.w.s.m.m.a.RequestMappingHandlerMapping | Mapped to com;app.product.web.controllers.ToUIController#demandeCreationproductPrivate(SimplifiedDemandeproductPrivateWithUrl)
2020-01-31 | 00:35:12.642 | 15744 | DEBUG | [myservice,6cd1ecb828504cc0,0e8e5189daa2c747,ROG] | http-nio-8081-exec-1 | o.s.s.web.FilterChainProxy | /v1/ui/product/private/user at position 5 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
2020-01-31 | 00:35:12.642 | 15744 | DEBUG | [myservice,6cd1ecb828504cc0,0e8e5189daa2c747,ROG] | http-nio-8081-exec-1 | o.s.s.w.u.m.OrRequestMatcher | Trying to match using Ant [pattern='/logout', GET]
2020-01-31 | 00:35:12.642 | 15744 | DEBUG | [myservice,6cd1ecb828504cc0,0e8e5189daa2c747,ROG] | http-nio-8081-exec-1 | o.s.s.w.u.m.AntPathRequestMatcher | Request 'POST /v1/ui/product/private/user' doesn't match 'GET /logout'
2020-01-31 | 00:35:12.642 | 15744 | DEBUG | [myservice,6cd1ecb828504cc0,0e8e5189daa2c747,ROG] | http-nio-8081-exec-1 | o.s.s.w.u.m.OrRequestMatcher | Trying to match using Ant [pattern='/logout', POST]
2020-01-31 | 00:35:12.642 | 15744 | DEBUG | [myservice,6cd1ecb828504cc0,0e8e5189daa2c747,ROG] | http-nio-8081-exec-1 | o.s.s.w.u.m.AntPathRequestMatcher | Checking match of request : '/v1/ui/product/private/user'; against '/logout'
2020-01-31 | 00:35:12.642 | 15744 | DEBUG | [myservice,6cd1ecb828504cc0,0e8e5189daa2c747,ROG] | http-nio-8081-exec-1 | o.s.s.w.u.m.OrRequestMatcher | Trying to match using Ant [pattern='/logout', PUT]
2020-01-31 | 00:35:12.642 | 15744 | DEBUG | [myservice,6cd1ecb828504cc0,0e8e5189daa2c747,ROG] | http-nio-8081-exec-1 | o.s.s.w.u.m.AntPathRequestMatcher | Request 'POST /v1/ui/product/private/user' doesn't match 'PUT /logout'
2020-01-31 | 00:35:12.642 | 15744 | DEBUG | [myservice,6cd1ecb828504cc0,0e8e5189daa2c747,ROG] | http-nio-8081-exec-1 | o.s.s.w.u.m.OrRequestMatcher | Trying to match using Ant [pattern='/logout', DELETE]
2020-01-31 | 00:35:12.642 | 15744 | DEBUG | [myservice,6cd1ecb828504cc0,0e8e5189daa2c747,ROG] | http-nio-8081-exec-1 | o.s.s.w.u.m.AntPathRequestMatcher | Request 'POST /v1/ui/product/private/user' doesn't match 'DELETE /logout'
2020-01-31 | 00:35:12.643 | 15744 | DEBUG | [myservice,6cd1ecb828504cc0,0e8e5189daa2c747,ROG] | http-nio-8081-exec-1 | o.s.s.w.u.m.OrRequestMatcher | No matches found
2020-01-31 | 00:35:12.643 | 15744 | DEBUG | [myservice,6cd1ecb828504cc0,0e8e5189daa2c747,ROG] | http-nio-8081-exec-1 | o.s.s.web.FilterChainProxy | /v1/ui/product/private/user at position 6 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2020-01-31 | 00:35:12.643 | 15744 | DEBUG | [myservice,6cd1ecb828504cc0,0e8e5189daa2c747,ROG] | http-nio-8081-exec-1 | o.s.s.web.FilterChainProxy | /v1/ui/product/private/user at position 7 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2020-01-31 | 00:35:12.645 | 15744 | DEBUG | [myservice,6cd1ecb828504cc0,0e8e5189daa2c747,ROG] | http-nio-8081-exec-1 | o.s.s.web.FilterChainProxy | /v1/ui/product/private/user at position 8 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2020-01-31 | 00:35:12.646 | 15744 | DEBUG | [myservice,6cd1ecb828504cc0,0e8e5189daa2c747,ROG] | http-nio-8081-exec-1 | o.s.s.w.a.AnonymousAuthenticationFilter | Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@6cbddd6e: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffe3f86: RemoteIpAddress: 127.0.0.1; SessionId: 31DE09CEE9609DC1E64814FAF2AB1D19; Granted Authorities: ROLE_ANONYMOUS'
2020-01-31 | 00:35:12.646 | 15744 | DEBUG | [myservice,6cd1ecb828504cc0,0e8e5189daa2c747,ROG] | http-nio-8081-exec-1 | o.s.s.web.FilterChainProxy | /v1/ui/product/private/user at position 9 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter'
2020-01-31 | 00:35:12.647 | 15744 | DEBUG | [myservice,6cd1ecb828504cc0,0e8e5189daa2c747,ROG] | http-nio-8081-exec-1 | o.s.s.web.FilterChainProxy | /v1/ui/product/private/user at position 10 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2020-01-31 | 00:35:12.647 | 15744 | DEBUG | [myservice,6cd1ecb828504cc0,0e8e5189daa2c747,ROG] | http-nio-8081-exec-1 | o.s.s.web.FilterChainProxy | /v1/ui/product/private/user at position 11 of 11 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2020-01-31 | 00:35:12.647 | 15744 | DEBUG | [myservice,6cd1ecb828504cc0,0e8e5189daa2c747,ROG] | http-nio-8081-exec-1 | o.s.s.w.u.m.AntPathRequestMatcher | Checking match of request : '/v1/ui/product/private/user'; against '/v1/ui/product/private/**'
2020-01-31 | 00:35:12.648 | 15744 | DEBUG | [myservice,6cd1ecb828504cc0,0e8e5189daa2c747,ROG] | http-nio-8081-exec-1 | o.s.s.w.a.i.FilterSecurityInterceptor | Secure object: FilterInvocation: URL: /v1/ui/product/private/user; Attributes: [hasRole('ROLE_user')]
2020-01-31 | 00:35:12.648 | 15744 | DEBUG | [myservice,6cd1ecb828504cc0,0e8e5189daa2c747,ROG] | http-nio-8081-exec-1 | o.s.s.w.a.i.FilterSecurityInterceptor | Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@6cbddd6e: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffe3f86: RemoteIpAddress: 127.0.0.1; SessionId: 31DE09CEE9609DC1E64814FAF2AB1D19; Granted Authorities: ROLE_ANONYMOUS
2020-01-31 | 00:35:12.653 | 15744 | DEBUG | [myservice,6cd1ecb828504cc0,0e8e5189daa2c747,ROG] | http-nio-8081-exec-1 | o.s.s.a.v.AffirmativeBased | Voter: org.springframework.security.web.access.expression.WebExpressionVoter@a86db4ae, returned: -1
2020-01-31 | 00:35:12.662 | 15744 | DEBUG | [myservice,6cd1ecb828504cc0,0e8e5189daa2c747,ROG] | http-nio-8081-exec-1 | o.s.s.w.a.ExceptionTranslationFilter | Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied
	at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:84)
	at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:233)
	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:123)
	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:90)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
	at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:118)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
	at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:137)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
	at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:111)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
	at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:158)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
	at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
	at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
	at org.springframework.web.filter.CorsFilter.doFilterInternal(CorsFilter.java:92)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
	at org.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:92)
	at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:77)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
	at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
	at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215)
	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178)
	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358)
	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.springframework.cloud.sleuth.instrument.web.ExceptionLoggingFilter.doFilter(ExceptionLoggingFilter.java:50)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at brave.servlet.TracingFilter.doFilter(TracingFilter.java:82)
	at org.springframework.cloud.sleuth.instrument.web.LazyTracingFilter.doFilter(TraceWebServletAutoConfiguration.java:138)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:367)
	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:860)
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1598)
	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
	at java.base/java.lang.Thread.run(Thread.java:825)
2020-01-31 | 00:35:12.670 | 15744 | DEBUG | [myservice,6cd1ecb828504cc0,0e8e5189daa2c747,ROG] | http-nio-8081-exec-1 | o.s.s.w.a.ExceptionTranslationFilter | Calling Authentication entry point.
2020-01-31 | 00:35:12.670 | 15744 | DEBUG | [myservice,6cd1ecb828504cc0,0e8e5189daa2c747,ROG] | http-nio-8081-exec-1 | o.s.s.w.a.Http403ForbiddenEntryPoint | Pre-authenticated entry point called. Rejecting access
2020-01-31 | 00:35:12.670 | 15744 | DEBUG | [myservice,6cd1ecb828504cc0,0e8e5189daa2c747,ROG] | http-nio-8081-exec-1 | o.s.s.w.h.w.HstsHeaderWriter | Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@3795eda
2020-01-31 | 00:35:12.671 | 15744 | DEBUG | [myservice,6cd1ecb828504cc0,0e8e5189daa2c747,ROG] | http-nio-8081-exec-1 | o.s.s.w.c.SecurityContextPersistenceFilter | SecurityContextHolder now cleared, as request processing completed
2020-01-31 | 00:35:12.687 | 15744 | DEBUG | [myservice,6cd1ecb828504cc0,0e8e5189daa2c747,ROG] | http-nio-8081-exec-1 | o.s.s.w.u.m.OrRequestMatcher | Trying to match using Ant [pattern='/v1/ui/product/**']
2020-01-31 | 00:35:12.687 | 15744 | DEBUG | [myservice,6cd1ecb828504cc0,0e8e5189daa2c747,ROG] | http-nio-8081-exec-1 | o.s.s.w.u.m.AntPathRequestMatcher | Checking match of request : '/error'; against '/v1/ui/product/**'
2020-01-31 | 00:35:12.687 | 15744 | DEBUG | [myservice,6cd1ecb828504cc0,0e8e5189daa2c747,ROG] | http-nio-8081-exec-1 | o.s.s.w.u.m.OrRequestMatcher | No matches found
2020-01-31 | 00:35:12.687 | 15744 | DEBUG | [myservice,6cd1ecb828504cc0,0e8e5189daa2c747,ROG] | http-nio-8081-exec-1 | o.s.s.w.u.m.OrRequestMatcher | Trying to match using Ant [pattern='/product/**']
2020-01-31 | 00:35:12.687 | 15744 | DEBUG | [myservice,6cd1ecb828504cc0,0e8e5189daa2c747,ROG] | http-nio-8081-exec-1 | o.s.s.w.u.m.AntPathRequestMatcher | Checking match of request : '/error'; against '/product/**'
2020-01-31 | 00:35:12.687 | 15744 | DEBUG | [myservice,6cd1ecb828504cc0,0e8e5189daa2c747,ROG] | http-nio-8081-exec-1 | o.s.s.w.u.m.OrRequestMatcher | No matches found
2020-01-31 | 00:35:12.687 | 15744 | DEBUG | [myservice,6cd1ecb828504cc0,0e8e5189daa2c747,ROG] | http-nio-8081-exec-1 | o.s.s.web.FilterChainProxy | /error has no matching filters
2020-01-31 | 00:35:12.700 | 15744 | DEBUG | [myservice,6cd1ecb828504cc0,0e8e5189daa2c747,ROG] | http-nio-8081-exec-1 | o.s.w.s.DispatcherServlet | "ERROR" dispatch for POST "/error", parameters={}
2020-01-31 | 00:35:12.702 | 15744 | DEBUG | [myservice,6cd1ecb828504cc0,0e8e5189daa2c747,ROG] | http-nio-8081-exec-1 | s.d.s.w.PropertySourcedRequestMappingHandlerMapping | looking up handler for path: /error
2020-01-31 | 00:35:12.712 | 15744 | DEBUG | [myservice,6cd1ecb828504cc0,0e8e5189daa2c747,ROG] | http-nio-8081-exec-1 | o.s.w.s.m.m.a.RequestMappingHandlerMapping | Mapped to org.springframework.boot.autoconfigure.web.servlet.error.BasicErrorController#error(HttpServletRequest)
2020-01-31 | 00:35:12.714 | 15744 | DEBUG | [myservice,6cd1ecb828504cc0,0e8e5189daa2c747,ROG] | http-nio-8081-exec-1 | o.s.o.j.s.OpenEntityManagerInViewInterceptor | Opening JPA EntityManager in OpenEntityManagerInViewInterceptor
2020-01-31 | 00:35:12.714 | 15744 | TRACE | [myservice,6cd1ecb828504cc0,0e8e5189daa2c747,ROG] | http-nio-8081-exec-1 | o.s.t.s.TransactionSynchronizationManager | Bound value [org.springframework.orm.jpa.EntityManagerHolder@f9e30003] for key [org.springframework.orm.jpa.LocalContainerEntityManagerFactoryBean@a1bb84d4] to thread [http-nio-8081-exec-1]
2020-01-31 | 00:35:12.768 | 15744 | DEBUG | [myservice,6cd1ecb828504cc0,0e8e5189daa2c747,ROG] | http-nio-8081-exec-1 | o.s.w.s.m.m.a.HttpEntityMethodProcessor | Using 'application/json', given [*/*] and supported [application/json, application/*+json, application/json, application/*+json]
2020-01-31 | 00:35:12.770 | 15744 | DEBUG | [myservice,6cd1ecb828504cc0,0e8e5189daa2c747,ROG] | http-nio-8081-exec-1 | o.s.w.s.m.m.a.HttpEntityMethodProcessor | Writing [{timestamp=Thu Jan 30 23:35:12 UTC 2020, status=403, error=Forbidden, message=Access Denied, path=/v (truncated)...]
2020-01-31 | 00:35:12.823 | 15744 | TRACE | [myservice,6cd1ecb828504cc0,0e8e5189daa2c747,ROG] | http-nio-8081-exec-1 | o.s.t.s.TransactionSynchronizationManager | Removed value [org.springframework.orm.jpa.EntityManagerHolder@f9e30003] for key [org.springframework.orm.jpa.LocalContainerEntityManagerFactoryBean@a1bb84d4] from thread [http-nio-8081-exec-1]
2020-01-31 | 00:35:12.823 | 15744 | DEBUG | [myservice,6cd1ecb828504cc0,0e8e5189daa2c747,ROG] | http-nio-8081-exec-1 | o.s.o.j.s.OpenEntityManagerInViewInterceptor | Closing JPA EntityManager in OpenEntityManagerInViewInterceptor
2020-01-31 | 00:35:12.824 | 15744 | DEBUG | [myservice,6cd1ecb828504cc0,0e8e5189daa2c747,ROG] | http-nio-8081-exec-1 | o.s.w.s.DispatcherServlet | Exiting from "ERROR" dispatch, status 403

I use Spring Boot 2.2.4.RELEASE, security dependencies:

        <dependency>
            <groupId>org.springframework.boot</groupId> 
            <artifactId>spring-boot-starter-security</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId> <!--Utilisé par Spring Security-->
            <artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
        </dependency>

I am seriously thinking about contributing to Spring Security, I think that will be the only way to well understand how it works. If you have issues for beginners please let me know.
Thanks a lot

@jzheaux
Copy link
Contributor

jzheaux commented Jan 31, 2020
edited
Loading

@akuma8 I believe what is primarily missing is any kind of authentication mechanism in your configuration.

For example, a typical WebSecurityConfigurerAdapter for a JWT-based Resource Server would look like:

@Configuration
@Order( 99 )
public class SelfResourceProtection extends WebSecurityConfigurerAdapter {

    @Override
    public void configure( HttpSecurity http ) throws Exception {
        http.requestMatchers().antMatchers( "/self/**" )
                .and()
            .authorizeRequests()
                .antMatchers( HttpMethod.GET, "/self/update" ).hasRole( "ADMIN" )
                .antMatchers( HttpMethod.GET, "/self/accept").permitAll()
                .and()
            .oauth2ResourceServer()
                .jwt();
    }
}

Spring Boot declares oauth2ResourceServer for you only when you've not declared a WebSecurityConfigurerAdapter yourself.

You might consider posting a minimal sample GitHub project with your code, if you aren't able to make further progress.

We love new contributors! You can have a look at our first-timers-only issue tag for ideas.

@akuma8
Copy link
Contributor Author

akuma8 commented Jan 31, 2020

@jzheaux I added

@Configuration
@Order( 98 )
public class UIResourceProtection extends WebSecurityConfigurerAdapter {

    @Override
    public void configure( HttpSecurity http ) throws Exception {
        http.sessionManagement().sessionCreationPolicy( STATELESS );
        http.requestMatchers().antMatchers("/v1/ui/product/**" )
                .and()
                .cors().and()
                .authorizeRequests()
                .antMatchers( "/v1/ui/product/user" ).hasRole( "USER" )
                .and()
                .oauth2ResourceServer()
                .jwt();
   }
}

But S.S. doesn't have acces to the user roles defined in KC, only client scopes are available. I would like to not set scopes to users and use them only for clients. Is it possible to have access to user roles with this configuration?

Regarding contribution, I would like to start with this issue: #7824

@jzheaux
Copy link
Contributor

jzheaux commented Jan 31, 2020

@akuma8 please take a look at https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#oauth2resourceserver-jwt-authorization-extraction

@akuma8
Copy link
Contributor Author

akuma8 commented Feb 3, 2020
edited
Loading

@jzheaux Thanks for the link, I finally managed to find a working solution. A question, do you think is it possible to add the Jwt converters at the FilterChainProxy level?
I have several filter chains (for me a filter chain is a class extending WebSecurityConfigurerAdapter), I would like to avoid repeated code, i-e adding this king of code

...
.oauth2ResourceServer()
                .jwt()
                    .jwtAuthenticationConverter(grantedAuthoritiesExtractor());

in each class.
I would like a global way to register Jwt converters to extract authorities.

@jzheaux
Copy link
Contributor

jzheaux commented Apr 6, 2020

@akuma8 I wonder if this would be solved by #8185

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jzheaux jzheaux

Labels
for: stackoverflow A question that's better suited to stackoverflow.com in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@akuma8 @jzheaux @spring-projects-issues