spring-security icon indicating copy to clipboard operation
spring-security copied to clipboard

Published 20 hours ago verified publisher icon spring-projects

Consider warning users if securityMatchers do not match some filter in the chain

Open Haarolean opened this issue 1 year ago • 3 comments

Describe the bug HttpSecurity configuration with securityMatcher and oauth2Login(withDefaults()) leads to 404 for some OAuth2 endpoints.

To Reproduce

  1. Clone this repo: https://github.com/Haarolean/spring-security-matchers-bug
  2. Run the app
  3. Go to http://localhost:8080/oauth2/authorization/github
  4. Observe 404

Also,

  1. Commenting line 25 in OAuthSecurityConfig fixes the issue.
  2. Endpoint like http://localhost:1337/login/oauth2/code/github?code=xxx still works for some reason.
  3. I've traced the issue down to MvcRequestMatcher, where notMatchMethodOrServletPath always results in true. Without line 25, MvcRequestMatcher is not used, rather AnyRequestMatcher is being used.
  4. I've dug through all the possible documentation on securityMatcher and didn't find anything which could explain the problem.

Expected behavior oauth, csrf, cors and other configurations are applied only for /api/web/**.

Sample

https://github.com/Haarolean/spring-security-matchers-bug

Haarolean avatar Nov 04 '23 21:11 Haarolean