intercept-url doesn't work as expected

[Ruochao Zheng]

<security:http pattern="/services/**" create-session="stateless" use-expressions="true"

entry-point-ref="jwtEntryPoint">

<security:csrf disabled="true" />

<security:custom-filter ref="jwtSecurityFilter" position="BASIC_AUTH_FILTER" />
        <security:intercept-url pattern="/services/secured/**" access="isAuthenticated()"/>

<security:intercept-url pattern="/services/**" access="permitAll"/>

</security:http>

<bean id="jwtSecurityFilter" class="org.pac4j.springframework.security.web.SecurityFilter">

        <property name="clients" value="headerClient" />

<property name="config" ref="config" />

</bean>

Currently, I'm using JWT to do the authentication for web service, and client is single page web app. But I found the intercept-url doesn't work in this case, all url "/services/**" will throw 401 as defined in enter point.

I'm not define any matcher, not sure if I can use spring security intercept-url only. And looks this is similar as matcher?

Currently workaround is seperated the url need to be secured as a standalone unit. e.g. <security:http pattern="/services/secured/**" ......> instead of defining in body.

Any idea?

[Jérôme LELEU]

Hi,

The SecurityFilter ensures security so if it's configured with a HeaderClient (or ParameterClient) accepting JWT (JwtAuthenticator), a 401 will be returned if the JWT is not provided or if the JWT authentication fails.

In your case, some part of the url is anonymous and the other part secured so you want to apply new checks with intercept-urls.

This can be done by allowing to SecurityFilter to perform an anonymous authentication if the JWT authentication fails.

<bean id="anonymousClient" class="org.pac4j.core.client.direct.AnoynmousClient" />

<bean id="jwtSecurityFilter" class="org.pac4j.springframework.security.web.SecurityFilter">

    <property name="clients" value="headerClient,anonymousClient" />

<property name="config" ref="config" />

</bean>

Thanks.

Best regards,

Jérôme

--
You received this message because you are subscribed to the Google Groups "pac4j-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-users+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Ruochao Zheng]

Thanks for the reply, will try that.

And you mentioned, a 401 will be returned if the JWT is not provided or authentication fails. From what I tested, if JWT authentication fails, it will just throw exception, and server return 500. 

I think I can use a custom authenticator to catch the exception and make server return 401 instead, or I can use any spring exception handler to achieve that. But I would like to see if you have any better way?

Thanks,

Ruochao

To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-users...@googlegroups.com.

[Jérôme LELEU]

Hi,

You're right, I was confusing. We have two different use cases.

If the JWT is missing and thus the authentication is not played, you'll get a 401. If the authentication fails because the JWT is not a valid one or does not match the secret / key signature / encryption you configured, you'll get a 500 error.

You can wrap the JwtAuthenticator into a new Authenticator and trap the TechnicalException if you don't want to expose it. It's up to you if you really need that.

Thanks.

Best regards,

Jérôme

To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-users+unsubscribe@googlegroups.com.