I have blocked the URL for a user who is not logged in, but after the user logs in he still cannot access the URL

Title says it all.

• WebSecurityConfig

  @Override
  protected void configure(HttpSecurity http) throws Exception {
    http.cors().and().csrf().disable()
            .exceptionHandling().authenticationEntryPoint(unauthorizedHandler).and()
            .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
            .authorizeRequests().antMatchers("/api/auth/**").permitAll()
            .antMatchers("/api/users/**").authenticated()
            .antMatchers(h2ConsolePath + "/**").permitAll().and()
            .formLogin().loginPage("/api/auth/loginAndRegisterForm")
            .successForwardUrl("/api/users/tripAdvisorHomePage").and()
            .logout().logoutUrl("/api/auth/logout").logoutSuccessUrl("/api/auth/loginAndRegisterForm")
            .permitAll();
    http.headers().frameOptions().sameOrigin();
    http.addFilterBefore(authenticationJwtTokenFilter(), UsernamePasswordAuthenticationFilter.class);
  }
  

As you can see I have .antMatchers("/api/users/**").authenticated() and that works, I cant access that URL, getting Unauthorized error: Full authentication is required to access this resource with code 401.

But when I go back and enter a credentials and get redirected to successForwardUrl("/api/users/tripAdvisorHomePage") its still Full authentication is required.

• This is my login method:

  @PostMapping("/login")
  @Transactional
  public ResponseEntity<?> login(@Valid @ModelAttribute("login") 
  LoginRequest loginRequest, Model model) {
    Authentication authentication = authenticationManager.
            authenticate(new UsernamePasswordAuthenticationToken(loginRequest.getUsername(), loginRequest.getPassword()));
    SecurityContextHolder.getContext().setAuthentication(authentication);
    UserDetailsImpl user = (UserDetailsImpl) authentication.getPrincipal();
  
    ResponseCookie jwtCookie = jwtHelper.generateJwtCookie(user);
    System.out.println(jwtCookie);
  
  
    model.addAttribute("login", loginRequest);
  
    HttpHeaders headers = new HttpHeaders();
    ResponseEntity.ok().header(HttpHeaders.SET_COOKIE, jwtCookie.toString());
    headers.add("Location", "/api/users/tripAdvisorHomePage");
    return new ResponseEntity<String>(headers, HttpStatus.FOUND);
  

• This is my method to show page if user is logged in.

  @GetMapping("/tripAdvisorHomePage")
  public String index() {
    return "tripAdvisorHomePage";
  }
  

And on top of class I have @RequestMapping("/api/users") so the URL for that index API is like in WebSecurityConfig – "/api/users/tripAdvisorHomePage"

I tried to find something useful around but there are all specific ways for each and other and so far I had no success.

Answer

I may be mistaken here, but the following looks odd:

  HttpHeaders headers = new HttpHeaders();
  ResponseEntity.ok().header(HttpHeaders.SET_COOKIE, jwtCookie.toString()); // What now?
  headers.add("Location", "/api/users/tripAdvisorHomePage");
  return new ResponseEntity<String>(headers, HttpStatus.FOUND);

The Set-Cookie header is never part of the actually returned ResponseEntity. Try adding the Set-Cookie and Location header to the same response entity:

return ResponseEntity
  .status(HttpStatus.FOUND)
  .location("/api/users/tripAdvisorHomePage")
  .header(HttpHeaders.SET_COOKIE, jwtCookie.toString())
  .build();

(untested)