I'm trying to get cors running. What I need is:
Return 401 for all http methods except options when not providing credentials.
The cors line does absolutely nothing. To my understanding, it should work.
protected SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
return http
.csrf(AbstractHttpConfigurer::disable)
.cors(Customizer.withDefaults())
.authorizeHttpRequests(auth -> {
try {
auth.requestMatchers("/**").authenticated();
} catch (final Exception e) {
LOG.log(Level.SEVERE, "Unable to set up security chain.");
throw new IllegalStateException(e);
}
})
.httpBasic(withDefaults())
.build();
}
This always returns 401. The httpMethod parameter is ignored
protected SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
return http
.csrf(AbstractHttpConfigurer::disable)
.cors(Customizer.withDefaults())
.authorizeHttpRequests(auth -> {
try {
auth.requestMatchers("/**", HttpMethod.GET).authenticated();
auth.requestMatchers("/**", HttpMethod.OPTIONS).permitAll();
} catch (final Exception e) {
LOG.log(Level.SEVERE, "Unable to set up security chain.");
throw new IllegalStateException(e);
}
})
.httpBasic(withDefaults())
.build();
}
This one returns 200 for options and 500 principal not found instead of 401 for get
protected SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
return http
.csrf(AbstractHttpConfigurer::disable)
.cors(Customizer.withDefaults())
.authorizeHttpRequests(auth -> {
try {
auth.requestMatchers("/**", HttpMethod.OPTIONS).permitAll()
.requestMatchers("/**", HttpMethod.GET).authenticated();
} catch (final Exception e) {
LOG.log(Level.SEVERE, "Unable to set up security chain.");
throw new IllegalStateException(e);
}
})
.httpBasic(withDefaults())
.build();
}
I'm trying to get cors running. What I need is:
Return 401 for all http methods except options when not providing credentials.
The cors line does absolutely nothing. To my understanding, it should work.
protected SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
return http
.csrf(AbstractHttpConfigurer::disable)
.cors(Customizer.withDefaults())
.authorizeHttpRequests(auth -> {
try {
auth.requestMatchers("/**").authenticated();
} catch (final Exception e) {
LOG.log(Level.SEVERE, "Unable to set up security chain.");
throw new IllegalStateException(e);
}
})
.httpBasic(withDefaults())
.build();
}
This always returns 401. The httpMethod parameter is ignored
protected SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
return http
.csrf(AbstractHttpConfigurer::disable)
.cors(Customizer.withDefaults())
.authorizeHttpRequests(auth -> {
try {
auth.requestMatchers("/**", HttpMethod.GET).authenticated();
auth.requestMatchers("/**", HttpMethod.OPTIONS).permitAll();
} catch (final Exception e) {
LOG.log(Level.SEVERE, "Unable to set up security chain.");
throw new IllegalStateException(e);
}
})
.httpBasic(withDefaults())
.build();
}
This one returns 200 for options and 500 principal not found instead of 401 for get
protected SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
return http
.csrf(AbstractHttpConfigurer::disable)
.cors(Customizer.withDefaults())
.authorizeHttpRequests(auth -> {
try {
auth.requestMatchers("/**", HttpMethod.OPTIONS).permitAll()
.requestMatchers("/**", HttpMethod.GET).authenticated();
} catch (final Exception e) {
LOG.log(Level.SEVERE, "Unable to set up security chain.");
throw new IllegalStateException(e);
}
})
.httpBasic(withDefaults())
.build();
}
- CORS and authentication are not related. If you only want to accept OPTIONS that will be in the CORS config and authentication should be handled as you are. – Kieran Foot Commented 2 days ago
1 Answer
Reset to default 0I finally found the problem. I was using the wrong import. I used
.springframework.http.HttpMethod.GET
instead of jakarta.ws.rs.HttpMethod.GET which returned a string that was evaluated as pattern.