'Can't disable spring security for temporary (403 forbidden)

I want to disable spring security temporary for the whole application but I always get 403 forbidden

Deleting @PreAuthorize annotation in my controller does not give any result. Endpoints that are not marked with this annotation also drop me 403 forbidden I don't need basic auth i need no auth

My spring security config: (/ , /api/** , /**, /* does not work, i always get 403 forbidden)

package com.project.webstation.Config;

import com.project.webstation.Services.CustomUserDetailsService;
import lombok.AllArgsConstructor;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
@AllArgsConstructor
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    private final CustomUserDetailsService userDetailsService;


    @Override
    protected void configure(HttpSecurity http) throws Exception {
//        http
//                .csrf().disable()
//                .authorizeRequests()
//                .antMatchers(HttpMethod.POST,"/api/user/").permitAll()
//                .anyRequest()
//                .authenticated()
//                .and()
//                .httpBasic();
        http.csrf().disable().authorizeRequests().antMatchers("/").permitAll();
    }
    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.authenticationProvider(daoAuthenticationProvider());
    }

    @Bean
    public PasswordEncoder getPasswordEncoder() {
        return new BCryptPasswordEncoder(12);
    }

    @Bean
    protected DaoAuthenticationProvider daoAuthenticationProvider() {
        DaoAuthenticationProvider daoAuthenticationProvider = new DaoAuthenticationProvider();
        daoAuthenticationProvider.setPasswordEncoder(getPasswordEncoder());
        daoAuthenticationProvider.setUserDetailsService(userDetailsService);
        return daoAuthenticationProvider;
    }
}

One of my controllers:

@Slf4j
@RestController
@RequestMapping("/api/user/")
@AllArgsConstructor
public class UserController {

    private final UserMap userMap;

    private final UserService userService;


    //@PreAuthorize("hasAuthority('user:read')")
    @ApiOperation(value = "Getting  user by the id")
    @GetMapping(value = "{id}")
    public ResponseEntity<UserResponse> getUser(@PathVariable("id") long Id) {
        User user = userService.findById(Id);
        UserResponse userResponse = userMap.userToResponse(user);
        return new ResponseEntity<>(userResponse, HttpStatus.OK);
    }

    @ApiOperation(value = "getting  user data from request body and saving it to database")
    @PostMapping(value = "")
    public ResponseEntity<UserSaveResponse> saveUser(@RequestBody UserRequest userRequest) {
        User user = userService.save(userRequest);
        UserSaveResponse userSaveResponse = userMap.userToSaveResponse(user);
        return new ResponseEntity<>(userSaveResponse, HttpStatus.CREATED);
    }

    @PreAuthorize("hasAuthority('user:write')")
    @ApiOperation(value = "getting  user data from request body and updating it in database(Admin method, can do it for all users)")
    @PutMapping(value = "/{id}")
    public ResponseEntity<UserResponse> updateUser(@AuthenticationPrincipal SecurityUser user, @RequestBody UserEditRequest userEditRequest, @PathVariable("id") int id) {
        User updatedUser = userService.update(id, userEditRequest,user);
        UserResponse userResponse = userMap.userToResponse(updatedUser);
        return new ResponseEntity<>(userResponse, HttpStatus.CREATED);
    }


    @PreAuthorize("hasAuthority('user:write')")
    @ApiOperation(value = "Deleting user by id from the database")
    @DeleteMapping(value = "{id}")
    public ResponseEntity<UserResponse> deleteUser(@AuthenticationPrincipal SecurityUser authenticatedUser,@PathVariable("id") int id) {
        userService.delete(id,authenticatedUser);
        return new ResponseEntity<>(HttpStatus.OK);
    }

    @PreAuthorize("hasAuthority('user:read')")
    @ApiOperation(value = "Getting all the Users from the database")
    @PostMapping(value = "get")
    public ResponseEntity<List<UserResponse>> findAllWithFilters(@RequestBody UserFilterProperties userFilterProperties) {
        return new ResponseEntity<>(userService.getAllWithFilters(userFilterProperties),HttpStatus.OK);
    }


    @PreAuthorize("hasAuthority('user:read')")
    @ApiOperation(value = "Subscribe on user")
    @PutMapping(value = "{id}/subscribe")
    public ResponseEntity<UserResponse> subscribe(@RequestBody UserSubscriptionRequest userSubscriptionRequest, @AuthenticationPrincipal SecurityUser user, @PathVariable("id") Long id) {
         userService.subscribe(id,user,userSubscriptionRequest);
         return new ResponseEntity<>(HttpStatus.OK);
    }


     @PreAuthorize("hasAuthority('user:read')")
        @ApiOperation(value = "Unsubscribe from user")
        @PutMapping(value = "{id}/unsubscribe")
        public ResponseEntity<UserResponse> unsubscribe(@RequestBody UserSubscriptionRequest userSubscriptionRequest,@AuthenticationPrincipal SecurityUser user, @PathVariable("id") Long id) {
            userService.unsubscribe(user,id,userSubscriptionRequest);
            return new ResponseEntity<>(HttpStatus.OK);
        }
        @PreAuthorize("hasAuthority('user:read')")
        @ApiOperation(value = "Getting all user's subscribers")
        @GetMapping(value = "{id}/subscribers")
        public ResponseEntity<Set<UserResponse>> getSubscribers(@PathVariable("id") Long Id) {
            return new ResponseEntity<>(userService.getSubscribers(Id),HttpStatus.OK);
        }
    
        @PreAuthorize("hasAuthority('user:read')")
        @ApiOperation(value = "Getting all user's subscriptions")
        @GetMapping(value = "{id}/subscriptions")
        public ResponseEntity<Set<UserResponse>> getSubscriptions(@PathVariable("id") Long Id) {
            return new ResponseEntity<>(userService.getSubscriptions(Id),HttpStatus.OK);
        }
@PreAuthorize("hasAuthority('user:write')")
    @ApiOperation(value = "upload file attached to the user")
    @PostMapping(value = "{userId}/upload")
    public ResponseEntity<User> uploadImage(@PathVariable("userId") Long id,
                                            @RequestParam("file") MultipartFile file,
                                            @AuthenticationPrincipal SecurityUser user) throws IOException
                                                {
        userService.saveImageForUser(id,file,user);
        return new ResponseEntity<>(HttpStatus.OK);
    }
javaspringspring-bootspring-security


Solution 1:[1]

Add this to your SecurityConfig class to completely ignore the specified url patterns...

@Override
public void configure(WebSecurity web) throws Exception {
    web.ignoring().antMatchers("/**");
}

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 httPants

Related Questions