Security does not allow access to REST API for unauthenticated users

youthful-ostrich · April 30, 2023, 2:29pm

Hey,

I have a Spring RestController for an external service, that sends API requests to it.

@AnonymousAllowed
@PermitAll
@RestController
@RequestMapping("/api/stripe")
@RequiredArgsConstructor(onConstructor_ = @Autowired)
public class PaymentWebhook {

    @PostMapping("callback")
    public ResponseEntity<?> callback(@RequestBody String payload) {
    }

My SecurityConfig allows access for unauthorized users to all pages starting with "/api, see:

  @Override
  protected void configure(HttpSecurity http) throws Exception {
    http.authorizeHttpRequests().requestMatchers("/public/**", "/line-awesome/**", "/api/**").permitAll();

    super.configure(http);
    setLoginView(http, LoginView.class);
  }

When I am logged in (authenticated with my user), the REST Controller works properly.
In any other case I am getting redirected to login view.

How can this be?

zesty-leopard · April 30, 2023, 2:40pm

You need to override the other method which take WebSecurity as parameter

marcoc_753 · April 30, 2023, 2:42pm

You have to tell Vaadin to ignore the /api mapping and probably also disable CSRF
Take a look at this SO question, and see if helps you Spring RequestMapping returning auto generated vaadin html page - Stack Overflow

youthful-ostrich · May 2, 2023, 6:58pm

Did not work

zesty-leopard · May 2, 2023, 6:58pm

.

youthful-ostrich · May 2, 2023, 6:59pm

I am Not sure what I have to do with that

youthful-ostrich · May 2, 2023, 7:00pm

Because there are no such methods and I am not experienced with Spring Security

zesty-leopard · May 2, 2023, 7:00pm

    @Override
    protected void configure(WebSecurity web) {
        web.ignoring().requestMatchers("/api/stripe/**");
    }
}```

youthful-ostrich · May 2, 2023, 7:00pm

Ok thanks

youthful-ostrich · May 2, 2023, 7:00pm

I’ll try

zesty-leopard · May 2, 2023, 7:00pm

Np

youthful-ostrich · May 2, 2023, 7:01pm

Still does not work

youthful-ostrich · May 2, 2023, 7:01pm

I am getting redirected to the login view

marcoc_753 · May 2, 2023, 7:02pm

Did you tried to add the logger configuration that is present in the SO answer? It should tell you something useful

marcoc_753 · May 2, 2023, 7:03pm

logging.level.org.springframework.security=DEBUG

youthful-ostrich · May 2, 2023, 7:04pm

It starts with
2023-05-02T21:03:39.141+02:00 DEBUG 61016 — [nio-8080-exec-8] o.s.security.web.FilterChainProxy : Securing GET /login

Even though I am accessing /api/stripe/callback

youthful-ostrich · May 2, 2023, 7:04pm

I dont know what I should do about that

marcoc_753 · May 2, 2023, 7:07pm

Is there only this line?

youthful-ostrich · May 2, 2023, 7:10pm

I checked and it looks like the method of Stripe gets called, but the response is not displayed due to the redirection to the login page.

youthful-ostrich · May 2, 2023, 7:11pm

Due to an error being thrown I get redirected to the /error page that is not covered by the security config in terms of unauthenticated users