We store JWT inside a Cookie that is used between the frontend and backend.
In our ResourceServerConfigurerAdapter we configured this:
http.authorizeRequests()
.antMatchers("/rest/assets/**/").permitAll()
.anyRequest().authenticated();
It says that all requests to /rest/assets/ should be allowed.
The problem is that if JWT access token is expired, when it goes to the TokenExtractor ( public Authentication extract(HttpServletRequest request){} ) that will invalidate the request. But that happens before the matcher to /rest/assets.
Is there a way to ignore the extract of the cookie if the url is one of .permitAll()? I want to return the request even in case of expired token.
The best way to do that would be to not match /rest/assets/** in the top-level matcher (let another filter take care of those requests), or mark those as "ignored" in the global security configuration. You could also modify your client not to send tokens to endpoints that don't need them, or to respond to the 403 and refresh the token (if it needs refreshing it seems like you'd want to do that anyway).
It sounds as though we could update the OAuth2AuthenticationProcessingFilter to allow failed authentication attempts. This means that public resources would be allowed access if it fails and non-public resources would then fail because the authorization would not work.
A workaround would be to create a new WebSecurityConfigurerAdapter as @dsyer mentions.
Most helpful comment
It sounds as though we could update the OAuth2AuthenticationProcessingFilter to allow failed authentication attempts. This means that public resources would be allowed access if it fails and non-public resources would then fail because the authorization would not work.
A workaround would be to create a new
WebSecurityConfigurerAdapteras @dsyer mentions.