Spring-security-oauth: JWT is extracted/validated before RequestMatcher

Created on 23 Mar 2016  路  2Comments  路  Source: spring-projects/spring-security-oauth

We store JWT inside a Cookie that is used between the frontend and backend.
In our ResourceServerConfigurerAdapter we configured this:

http.authorizeRequests()
        .antMatchers("/rest/assets/**/").permitAll()
        .anyRequest().authenticated();

It says that all requests to /rest/assets/ should be allowed.

The problem is that if JWT access token is expired, when it goes to the TokenExtractor ( public Authentication extract(HttpServletRequest request){} ) that will invalidate the request. But that happens before the matcher to /rest/assets.

Is there a way to ignore the extract of the cookie if the url is one of .permitAll()? I want to return the request even in case of expired token.

waiting-for-triage

Most helpful comment

It sounds as though we could update the OAuth2AuthenticationProcessingFilter to allow failed authentication attempts. This means that public resources would be allowed access if it fails and non-public resources would then fail because the authorization would not work.

A workaround would be to create a new WebSecurityConfigurerAdapter as @dsyer mentions.

All 2 comments

The best way to do that would be to not match /rest/assets/** in the top-level matcher (let another filter take care of those requests), or mark those as "ignored" in the global security configuration. You could also modify your client not to send tokens to endpoints that don't need them, or to respond to the 403 and refresh the token (if it needs refreshing it seems like you'd want to do that anyway).

It sounds as though we could update the OAuth2AuthenticationProcessingFilter to allow failed authentication attempts. This means that public resources would be allowed access if it fails and non-public resources would then fail because the authorization would not work.

A workaround would be to create a new WebSecurityConfigurerAdapter as @dsyer mentions.

Was this page helpful?
0 / 5 - 0 ratings