Skip to content
Advertisement

antMatchers() is not working , and gives forbidden error

I have an end-point called authenticate , this endpoint is given to antMatchers(“/authenticate”) to skip authorization for this end-point, but it still checks for the authentication.

code:

   @Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
    // We don't need CSRF for this example
    httpSecurity.csrf().disable()
            // dont authenticate this particular request
            .authorizeRequests().antMatchers("/authenticate").permitAll()
            // all other requests need to be authenticated
            .and().authorizeRequests()
            .anyRequest().authenticated()
            .and()
            // make sure we use stateless session; session won't be used to
            // store user's state.
            .exceptionHandling().authenticationEntryPoint(jwtAuthenticationEntryPoint)
            .and().sessionManagement()
            .sessionCreationPolicy(SessionCreationPolicy.STATELESS);

    // Add a filter to validate the tokens with every request
    httpSecurity.addFilterBefore(jwtRequestFilter, UsernamePasswordAuthenticationFilter.class);
}

Advertisement

Answer

I have an update regarding the issue.

In my case, I had a problem with a function singWith() that was deprecated, the request of /authenticate was passing the antMatchers() filter but was not able to generate the token.

After the research, I found that there are other types of the same function, which works fine.

the old version of the token generation code.

SecretKey key = Keys.hmacShaKeyFor(Decoders.BASE64.decode("newworldorder"));

Key is of SecretKey type

Jwts.builder().setClaims(claims).setSubject(subject).setIssuedAt(date)
            .setExpiration(new Date(validity)
            .signWith(key).compact();

here is the new version of the token generation code.

private String key = "newworldorder";

Key is of String type

Jwts.builder().setClaims(claims).setSubject(subject).setIssuedAt(date)
            .setExpiration(validity)
            .signWith(SignatureAlgorithm.HS512, key).compact();

User contributions licensed under: CC BY-SA
2 People found this is helpful
Advertisement