#StackBounty: #spring #spring-boot #spring-security Apply HttpSecurity for GET request

Bounty: 100

I have this rest endpoint:

@RestController
@RequestMapping("/data")
public class DataPagesController {

    @GetMapping("/page")
    public ResponseEntity<?> page() {

        List<String> list = new ArrayList<>();

        list.add("test 1");
        list.add("test 2");
        list.add("test 3");
        list.add("test 4");

        return new ResponseEntity<>(list, HttpStatus.OK);
    }
}

I have configured context path prefix into the project using:

server:
    port: 8080
    servlet:
        context-path: /engine

I want to restrict the access using:

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
        .csrf().disable()
        .httpBasic()
       
        // Allow GET for dashboard page
        .authorizeRequests().antMatchers(HttpMethod.GET, "/data/page").authenticated()

        // Allow all requests by logged in users
        .anyRequest().authenticated()
            .and()
        .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}

But I get error:

GET http://localhost:8080/engine/data/page 401

Do you know what is the proper way to configure endpoint permissions for GET request?

One possible idea:

 Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
19:12:37.834 [http-nio-8080-exec-8] DEBUG AffirmativeBased[decide:66] - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@659a59ae, returned: -1
19:12:37.834 [http-nio-8080-exec-8] DEBUG ExceptionTranslationFilter[handleSpringSecurityException:180] - Access is denied (user is anonymous); redirecting to authentication entry point

I need to remove maybe .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);


Get this bounty!!!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.