spring-boot icon indicating copy to clipboard operation
spring-boot copied to clipboard
verified publisher icon spring-projects

Spring boot 3.2.5 @Preauthorize gives forbidden

Open Kryptonian-C opened this issue 1 year ago • 2 comments

Hi Team, After upgrading to Spring boot 3.2.5 The methods annotated with @Preauthorize("isAuthenticated()") starts throwing Forbidden error. If I simply downgrade to 3.2.4 then everything works normal.

My Security class looks like below.

@Configuration
@EnableWebFluxSecurity
@EnableReactiveMethodSecurity
public class GraphqlSecurityConfig {

  private AuthenticationManager authenticationManager;

  private final SecurityContextRepository securityContextRepository;

  @Autowired
  public GraphqlSecurityConfig(
      AuthenticationManager authenticationManager,
      SecurityContextRepository securityContextRepository) {
    this.authenticationManager = authenticationManager;
    this.securityContextRepository = securityContextRepository;
  }

  @Bean
  public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity httpSecurity) {

    return httpSecurity
        .csrf(ServerHttpSecurity.CsrfSpec::disable)
        .httpBasic(ServerHttpSecurity.HttpBasicSpec::disable)
        .formLogin(ServerHttpSecurity.FormLoginSpec::disable)
        .authenticationManager(authenticationManager)
        .securityContextRepository(securityContextRepository)
        .authorizeExchange(it -> it.pathMatchers("*").permitAll())
        .build();
  }
}

AuthenticationManager and SecurityContextRepository have the logic for token validation which takes the token from the Authorization header and creates a UsernamePasswordAuthenticationToken.

Also, in 3.2.5 If we remove the @PreAuthorize then I am able to access the Principal and Credentials from the ReactiveSecurityContextHolder.getContext() after passing the Authorization in the header.

And simply downgrading to 3.2.4 everything works fine.

Kryptonian-C avatar Apr 24 '24 10:04 Kryptonian-C

Thanks for the report. I suspect that this isn't caused by Spring Boot itself but, most likely, by a change in Spring Security. That said, it's hard to be certain as we don't have the full picture here. For example, you haven't shown the code where you're using @PreAuthorize.

If you would like us to spend some more time investigating, please spend some time providing a complete yet minimal sample that reproduces the problem. You can share it with us by pushing it to a separate repository on GitHub or by zipping it up and attaching it to this issue.

wilkinsona avatar Apr 24 '24 13:04 wilkinsona

If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.

spring-projects-issues avatar May 01 '24 13:05 spring-projects-issues

Closing due to lack of requested feedback. If you would like us to look at this issue, please provide the requested information and we will re-open the issue.

spring-projects-issues avatar May 08 '24 13:05 spring-projects-issues