szerhusenBC/jwt-spring-security-demo

How exactly can the request bypass the JwtAuthorizationTokenFilter and reach the token creation endpoint?

szoke opened this issue · 3 comments

szoke commented

Hi Stephan,

Thanks for your demo project, it is most useful. May I have a question about it?
I am working on an app that implements the same pattern that yours does. The client first logs in by posting their credentials to an endpoint, then the handler method in the controller generates a JWT that is included into the header of subsequent requests (sent to other endpoints). Therefore in the security configuration there is such a line in order to not require JWT check for login:
.antMatchers("/auth/**").permitAll()

This worked before upgrading the project to Spring Boot 2.0.2 but now I get HTTP 401. I have tried to adjust the security config, tried many variants without success. I debugged your app and it works like a charm.

I can see that you upgraded too and got the app to work. (Commit below) Could you please explain what exactly enables the request to bypass the JwtAuthorizationTokenFilter and reach the token creation endpoint?
6c82826#diff-1e6bd33b8b14c44cdfb57d257e3fd446

Could you maybe take a look at my question at https://stackoverflow.com/questions/50793203/spring-security-permitall-no-longer-effective-after-upgrading-to-spring-boot where I also included the Java code?

Note:
I have been trying to make it work for more than a day. I added
@Override public void configure(WebSecurity web) throws Exception { // AuthenticationTokenFilter will ignore the below paths web .ignoring() .antMatchers( HttpMethod.POST, authenticationPath ) ...
to my security config but it has no effect for me.

Many thanks in advance and keep up the great work,
Andras

szoke commented

FYI, meanwhile I got an answer on Stack Overflow that proved correct.

@szoke sorry for not answering your question here. I'm very busy right now. I'm glad to hear that you can solve your problem.

szoke commented

@szerhusenBC Never mind. I hope the answer will be useful for other people stuck with this problem.