springsecurityfilterchain

Why is my security filter chain not working?


I want to permit access to all of my pages and put authentication each page at a time, but I can't even permit access to all my pages. My SecurityConfig is as below (I got this peace of code at spring.io):

@Configuration
public class SecurityConfig {

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http.authorizeHttpRequests((authz) -> authz
                .requestMatchers("/*").permitAll()
                );
        return http.build();

    }

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }

}

Once I try to access any endpoint, I get a login screen:

Image

I can't get it to work. Why is it asking authentication to all endpoints of my application? Shouldn't this be enough to permit access to everything?

package com.servicestcg.servicestcg;

import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.context.annotation.ComponentScan;

import com.servicestcg.servicestcg.controller.CartasController;

@SpringBootApplication
@ComponentScan(basePackageClasses = CartasController.class)
public class ServicesTcgApplication {

    public static void main(String[] args) {
        SpringApplication.run(ServicesTcgApplication.class, args);
    }
    
}

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>3.0.0</version>
        <relativePath /> <!-- lookup parent from repository -->
    </parent>
    <groupId>com.services-tcg</groupId>
    <artifactId>services-tcg</artifactId>
    <version>0.0.1-SNAPSHOT</version>
    <name>services-tcg</name>
    <description>Services for tcg website</description>
    <properties>
        <java.version>17</java.version>
    </properties>
    <dependencies>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-data-jdbc</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-data-jpa</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-jdbc</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
        </dependency>
        
        
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-actuator</artifactId>
        </dependency>

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-devtools</artifactId>
            <scope>runtime</scope>
            <optional>true</optional>
        </dependency>
        <dependency>
            <groupId>org.postgresql</groupId>
            <artifactId>postgresql</artifactId>
            <scope>runtime</scope>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-test</artifactId>
            <scope>test</scope>
        </dependency>
    </dependencies>

    <build>
        <plugins>
            <plugin>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-maven-plugin</artifactId>
                <configuration>
                    <executable>true</executable>
                    <fork>true</fork>
                    <addResources>true</addResources>
                </configuration>
            </plugin>
        </plugins>
    </build>

</project>


Solution

  • With Spring Security, the sigle "all" is exprimed with "**".

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { 
       http.authorizeHttpRequests(authorization -> authorization
           .requestMatchers("/**").permitAll()
       );
            
       return http.build();
    }
    

    You may encounter another problem with

    @SpringBootApplication
    @ComponentScan(basePackageClasses = CartasController.class)
    public class ServicesTcgApplication {
    
        public static void main(String[] args) {
            SpringApplication.run(ServicesTcgApplication.class, args);
        }
        
    }
    

    Unless you know what you're doing, you should let spring handle the package scanning for you.

    @SpringBootApplication
    public class ServicesTcgApplication {
    
        public static void main(String[] args) {
            SpringApplication.run(ServicesTcgApplication.class, args);
        }
        
    }
    

    More information on Spring Security on https://docs.spring.io/spring-security/reference/index.html