Title says it all.
WebSecurityConfig
@Override protected void configure(HttpSecurity http) throws Exception { http.cors().and().csrf().disable() .exceptionHandling().authenticationEntryPoint(unauthorizedHandler).and() .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and() .authorizeRequests().antMatchers("/api/auth/**").permitAll() .antMatchers("/api/users/**").authenticated() .antMatchers(h2ConsolePath + "/**").permitAll().and() .formLogin().loginPage("/api/auth/loginAndRegisterForm") .successForwardUrl("/api/users/tripAdvisorHomePage").and() .logout().logoutUrl("/api/auth/logout").logoutSuccessUrl("/api/auth/loginAndRegisterForm") .permitAll(); http.headers().frameOptions().sameOrigin(); http.addFilterBefore(authenticationJwtTokenFilter(), UsernamePasswordAuthenticationFilter.class); }
As you can see I have .antMatchers("/api/users/**").authenticated()
and that works, I cant access that URL, getting Unauthorized error: Full authentication is required to access this resource
with code 401
.
But when I go back and enter a credentials and get redirected to successForwardUrl("/api/users/tripAdvisorHomePage")
its still Full authentication is required
.
This is my
login
method:@PostMapping("/login") @Transactional public ResponseEntity<?> login(@Valid @ModelAttribute("login") LoginRequest loginRequest, Model model) { Authentication authentication = authenticationManager. authenticate(new UsernamePasswordAuthenticationToken(loginRequest.getUsername(), loginRequest.getPassword())); SecurityContextHolder.getContext().setAuthentication(authentication); UserDetailsImpl user = (UserDetailsImpl) authentication.getPrincipal(); ResponseCookie jwtCookie = jwtHelper.generateJwtCookie(user); System.out.println(jwtCookie); model.addAttribute("login", loginRequest); HttpHeaders headers = new HttpHeaders(); ResponseEntity.ok().header(HttpHeaders.SET_COOKIE, jwtCookie.toString()); headers.add("Location", "/api/users/tripAdvisorHomePage"); return new ResponseEntity<String>(headers, HttpStatus.FOUND);
This is my method to show page if user is logged in.
@GetMapping("/tripAdvisorHomePage") public String index() { return "tripAdvisorHomePage"; }
And on top of class I have @RequestMapping("/api/users")
so the URL for that index
API is like in WebSecurityConfig
– "/api/users/tripAdvisorHomePage"
I tried to find something useful around but there are all specific ways for each and other and so far I had no success.
Advertisement
Answer
I may be mistaken here, but the following looks odd:
HttpHeaders headers = new HttpHeaders(); ResponseEntity.ok().header(HttpHeaders.SET_COOKIE, jwtCookie.toString()); // What now? headers.add("Location", "/api/users/tripAdvisorHomePage"); return new ResponseEntity<String>(headers, HttpStatus.FOUND);
The Set-Cookie
header is never part of the actually returned ResponseEntity
. Try adding the Set-Cookie
and Location
header to the same response entity:
return ResponseEntity .status(HttpStatus.FOUND) .location("/api/users/tripAdvisorHomePage") .header(HttpHeaders.SET_COOKIE, jwtCookie.toString()) .build();
(untested)