Update to Spring Boot 2.7.5 with Spring Security 5.7.4

Greenhorn

Posts: 1

posted 1 year ago

Number of slices to send:

Optional 'thank-you' note:

Send

Howdy,

I am attempting to update my enterprise level application to Spring Boot 2.7.5 with Spring Security 5.7.4 and I am running into a couple different CORS issues. The first is a 302 Found redirect when trying to use any API endpoints, I have not experienced this in a week so maybe it's been resolved but I'm not sure, and the other is a 403 invalid preflight with missing Access-Control-Allow-Origin header which I am currently dealing with.

The reason for the update is because sometimes when deploying to a Tomcat 9 server, the created WAR files either do not even run, or they say they are running but none of the API endpoints are exposed. I'm beginning to think the update won't have an impact on them.

How would I configure my SecurityConfig class to utilize my custom filters and overcome the CORS issues I am dealing with?

SecurityConfig implementation

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled=true)
public class SecurityConfig {

@Bean
    public UserDetailsService userDetailsService() {
        return new AccessorController();
    }

@Bean
    public BCryptPasswordEncoder htePasswordEncoder() {
        return new BCryptPasswordEncoder();
    }

@Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http.csrf(AbstractHttpConfigurer::disable).authorizeHttpRequests(authorizationManagerRequestMatcherRegistry ->
                authorizationManagerRequestMatcherRegistry
                        .antMatchers("/access/token/**").permitAll()
                        .antMatchers("/access/login/**").permitAll()
                        .antMatchers("/access/license/**").permitAll()
                        .antMatchers("/access/refreshToken/**").permitAll()
                        .antMatchers("/licensing/**/**").permitAll()
                        .antMatchers("/ui/saveChecksumLogs").permitAll()
                        .antMatchers("/ws-message/**").permitAll()
                        .antMatchers("/swagger-ui/**").permitAll()
                        .antMatchers("/v3/**").permitAll()
                        .antMatchers("/ui/disabledProfileUpdatedStatus").permitAll()
                        .antMatchers("/ui/profileUpdatedStatus").permitAll()
                        .antMatchers("/ui/test").permitAll()
                        .anyRequest().authenticated()).sessionManagement(httpSecuritySessionManagementConfigurer ->
                httpSecuritySessionManagementConfigurer.sessionCreationPolicy(SessionCreationPolicy.STATELESS));

http.addFilterBefore(new CORSFilter(), BasicAuthenticationFilter.class);
        http.apply(new CustomAuthenticationManager());
        http.addFilterBefore(new HteAuthorizationFilter(),
                UsernamePasswordAuthenticationFilter.class);
        http.addFilterAfter(new DomainAuthorizationFilter(),
                BasicAuthenticationFilter.class);
        http.addFilterAfter(new RoleAuthorizationFilter(),
                BasicAuthenticationFilter.class);

return http.build();
    }

class CustomAuthenticationManager extends AbstractHttpConfigurer<CustomAuthenticationManager, HttpSecurity> {
        @Override
        public void configure(HttpSecurity http) throws Exception {
            DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
            provider.setPasswordEncoder(htePasswordEncoder());
            provider.setUserDetailsService(userDetailsService());
            HTeAuthenticationFilter hteAuth = new HTeAuthenticationFilter(new ProviderManager(provider));
            hteAuth.setFilterProcessesUrl("/access/login");
            http.addFilter(hteAuth);
        }
    }
}

Custom CORS Filter

@Component
@Order(Ordered.HIGHEST_PRECEDENCE)
public class CORSFilter implements Filter {
    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        HttpServletRequest httpReq = (HttpServletRequest) request;
        String origin = httpReq.getHeader("Origin");
        HttpServletResponse httpRes = (HttpServletResponse) response;

if (origin != null && !origin.isEmpty() && !origin.equalsIgnoreCase("null") && (origin.equals("http://localhost:3000") || origin.equals("http://127.0.0.1:3000"))) {
            httpRes.setHeader("Access-Control-Allow-Origin", "http://localhost:3000");
            httpRes.setHeader("Access-Control-Allow-Credentials", "true");

if (httpReq.getHeader("Access-Control-Request-Method") != null && "OPTIONS".equals(httpReq.getMethod())) {
                httpRes.addHeader("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, PATCH, OPTIONS");
                httpRes.addHeader("Access-Control-Allow-Headers", "Authorization, Content-Type, TargetDomain, Targetdomain, Cache-Control, Accept, X-Requested-With, Origin");
                httpRes.addHeader("Access-Control-Expose-Headers", "Authorization, Content-Type, TargetDomain, Targetdomain, Cache-Control, Accept, X-Requested-With, Origin");
                httpRes.setStatus(200);
            }
        }
        chain.doFilter(httpReq, httpRes);
    }

@Override
    public void destroy() {}
    @Override
    public void init(FilterConfig config) throws ServletException {}
}