'Spring Boot 2 - 404 for OAuth2 after authentication
@Override
protected void configure( HttpSecurity http ) throws Exception
{
http
.antMatcher( "/**" )
.authorizeRequests()
.antMatchers( HttpMethod.OPTIONS, "/" ).permitAll()
.antMatchers( HttpMethod.GET, "/app/**" ).permitAll()
.antMatchers( LOGIN_DESTINATION ).permitAll()
.anyRequest().authenticated()
.and()
.oauth2Login()
.successHandler( oAuth2AuthenticationSuccessHandler )
.and()
.sessionManagement()
.sessionCreationPolicy( SessionCreationPolicy.STATELESS );
}
I currently have a Spring Boot application configured as so... which currently redirects to my authentication server, allowing me to authenticate ok, and then redirects back to my application ready for the next part of the authentication dance.
Essentially, I've reached part 3) here from what I can tell.
My inbound URL appears to be a GET request to :
http://localhost:8080/login?code=[redacted]
From my understanding, this is the default Spring security URL which should now be kicking in a filter to perform the next part of the security dance. However, inside my application this page is currently 404'ing with a white screen of death as below:
Of note, is that a GET request to /login without parameters initiates the default Spring security login page - so whatever magic goes on behind the scenes for THAT part of the security handshake is working ok.
Wondering how / where / why that URL resolves differently in the context of spring filters, and how to get it to perform the next piece of the handshake automagically. It appears that somewhere in my security config once the /login has parameters on it i.e. the ?code=blah, a 404 occurs.
Rightly, or wrongly. Some of the things within my app of relevance:
@EnableOAuth2Client added to main application class. Perhaps this should be @EnableOAuth2Sso ? or do I need to manually register the filter?
Below application yml config
security:
oauth2:
client:
registration:
myclient:
clientId: [clientidredacted]
clientSecret: [redacted]
authorization-grant-type: authorization_code
redirect-uri: '{baseUrl}/login'
provider:
propertypal:
authorizationUri: https://auth.authserver.com/oauth/authorize
tokenUri: https://auth.authserver.com/oauth/token
Log output:
2019-06-25 10:58:50.985 DEBUG 4166 --- [nio-8080-exec-9] o.s.s.w.u.matcher.AntPathRequestMatcher : Request '/login' matched by universal pattern '/**'
2019-06-25 10:58:50.985 DEBUG 4166 --- [nio-8080-exec-9] o.s.security.web.FilterChainProxy : /login at position 1 of 15 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2019-06-25 10:58:50.985 DEBUG 4166 --- [nio-8080-exec-9] o.s.security.web.FilterChainProxy : /login at position 2 of 15 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2019-06-25 10:58:50.985 DEBUG 4166 --- [nio-8080-exec-9] o.s.security.web.FilterChainProxy : /login at position 3 of 15 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2019-06-25 10:58:50.985 DEBUG 4166 --- [nio-8080-exec-9] o.s.security.web.FilterChainProxy : /login at position 4 of 15 in additional filter chain; firing Filter: 'CsrfFilter'
2019-06-25 10:58:50.985 DEBUG 4166 --- [nio-8080-exec-9] o.s.security.web.FilterChainProxy : /login at position 5 of 15 in additional filter chain; firing Filter: 'LogoutFilter'
2019-06-25 10:58:50.986 DEBUG 4166 --- [nio-8080-exec-9] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'GET /login' doesn't match 'POST /logout'
2019-06-25 10:58:50.986 DEBUG 4166 --- [nio-8080-exec-9] o.s.security.web.FilterChainProxy : /login at position 6 of 15 in additional filter chain; firing Filter: 'OAuth2AuthorizationRequestRedirectFilter'
2019-06-25 10:58:50.986 DEBUG 4166 --- [nio-8080-exec-9] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/login'; against '/oauth2/authorization/{registrationId}'
2019-06-25 10:58:50.986 DEBUG 4166 --- [nio-8080-exec-9] o.s.security.web.FilterChainProxy : /login at position 7 of 15 in additional filter chain; firing Filter: 'OAuth2LoginAuthenticationFilter'
2019-06-25 10:58:50.986 DEBUG 4166 --- [nio-8080-exec-9] o.s.s.w.util.matcher.AndRequestMatcher : Trying to match using Ant [pattern='/login/oauth2/code/*']
2019-06-25 10:58:50.986 DEBUG 4166 --- [nio-8080-exec-9] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/login'; against '/login/oauth2/code/*'
2019-06-25 10:58:50.986 DEBUG 4166 --- [nio-8080-exec-9] o.s.s.w.util.matcher.AndRequestMatcher : Did not match
2019-06-25 10:58:50.986 DEBUG 4166 --- [nio-8080-exec-9] o.s.security.web.FilterChainProxy : /login at position 8 of 15 in additional filter chain; firing Filter: 'DefaultLoginPageGeneratingFilter'
2019-06-25 10:58:50.986 DEBUG 4166 --- [nio-8080-exec-9] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@3dba75bf
2019-06-25 10:58:50.986 DEBUG 4166 --- [nio-8080-exec-9] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
2019-06-25 10:58:52.962 DEBUG 4166 --- [io-8080-exec-10] o.s.s.w.u.matcher.AntPathRequestMatcher : Request '/login' matched by universal pattern '/**'
2019-06-25 10:58:52.962 DEBUG 4166 --- [io-8080-exec-10] o.s.security.web.FilterChainProxy : /login?code=[redacted]&state=[redacted] at position 1 of 15 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2019-06-25 10:58:52.962 DEBUG 4166 --- [io-8080-exec-10] o.s.security.web.FilterChainProxy : /login?code=[redacted]&state=[redacted] at position 2 of 15 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2019-06-25 10:58:52.962 DEBUG 4166 --- [io-8080-exec-10] o.s.security.web.FilterChainProxy : /login?code=[redacted]&state=[redacted] at position 3 of 15 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2019-06-25 10:58:52.962 DEBUG 4166 --- [io-8080-exec-10] o.s.security.web.FilterChainProxy : /login?code=[redacted]&state=[redacted] at position 4 of 15 in additional filter chain; firing Filter: 'CsrfFilter'
2019-06-25 10:58:52.962 DEBUG 4166 --- [io-8080-exec-10] o.s.security.web.FilterChainProxy : /login?code=[redacted]&state=[redacted] at position 5 of 15 in additional filter chain; firing Filter: 'LogoutFilter'
2019-06-25 10:58:52.962 DEBUG 4166 --- [io-8080-exec-10] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'GET /login' doesn't match 'POST /logout'
2019-06-25 10:58:52.962 DEBUG 4166 --- [io-8080-exec-10] o.s.security.web.FilterChainProxy : /login?code=[redacted]&state=[redacted] at position 6 of 15 in additional filter chain; firing Filter: 'OAuth2AuthorizationRequestRedirectFilter'
2019-06-25 10:58:52.962 DEBUG 4166 --- [io-8080-exec-10] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/login'; against '/oauth2/authorization/{registrationId}'
2019-06-25 10:58:52.962 DEBUG 4166 --- [io-8080-exec-10] o.s.security.web.FilterChainProxy : /login?code=[redacted]&state=[redacted] at position 7 of 15 in additional filter chain; firing Filter: 'OAuth2LoginAuthenticationFilter'
2019-06-25 10:58:52.962 DEBUG 4166 --- [io-8080-exec-10] o.s.s.w.util.matcher.AndRequestMatcher : Trying to match using Ant [pattern='/login/oauth2/code/*']
2019-06-25 10:58:52.962 DEBUG 4166 --- [io-8080-exec-10] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/login'; against '/login/oauth2/code/*'
2019-06-25 10:58:52.962 DEBUG 4166 --- [io-8080-exec-10] o.s.s.w.util.matcher.AndRequestMatcher : Did not match
2019-06-25 10:58:52.962 DEBUG 4166 --- [io-8080-exec-10] o.s.security.web.FilterChainProxy : /login?code=[redacted]&state=[redacted] at position 8 of 15 in additional filter chain; firing Filter: 'DefaultLoginPageGeneratingFilter'
2019-06-25 10:58:52.962 DEBUG 4166 --- [io-8080-exec-10] o.s.security.web.FilterChainProxy : /login?code=[redacted]&state=[redacted] at position 9 of 15 in additional filter chain; firing Filter: 'DefaultLogoutPageGeneratingFilter'
2019-06-25 10:58:52.963 DEBUG 4166 --- [io-8080-exec-10] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/login'; against '/logout'
2019-06-25 10:58:52.963 DEBUG 4166 --- [io-8080-exec-10] o.s.security.web.FilterChainProxy : /login?code=[redacted]&state=[redacted] at position 10 of 15 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2019-06-25 10:58:52.963 DEBUG 4166 --- [io-8080-exec-10] o.s.security.web.FilterChainProxy : /login?code=[redacted]&state=[redacted] at position 11 of 15 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2019-06-25 10:58:52.963 DEBUG 4166 --- [io-8080-exec-10] o.s.security.web.FilterChainProxy : /login?code=[redacted]&state=[redacted] at position 12 of 15 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2019-06-25 10:58:52.963 DEBUG 4166 --- [io-8080-exec-10] o.s.s.w.a.AnonymousAuthenticationFilter : Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@6bc44a5c: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffc7f0c: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 7AE9900602736997387E290E40F7986C; Granted Authorities: ROLE_ANONYMOUS'
2019-06-25 10:58:52.963 DEBUG 4166 --- [io-8080-exec-10] o.s.security.web.FilterChainProxy : /login?code=[redacted]&state=[redacted] at position 13 of 15 in additional filter chain; firing Filter: 'SessionManagementFilter'
2019-06-25 10:58:52.963 DEBUG 4166 --- [io-8080-exec-10] o.s.security.web.FilterChainProxy : /login?code=[redacted]&state=[redacted] at position 14 of 15 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2019-06-25 10:58:52.963 DEBUG 4166 --- [io-8080-exec-10] o.s.security.web.FilterChainProxy : /login?code=[redacted]&state=[redacted] at position 15 of 15 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2019-06-25 10:58:52.963 DEBUG 4166 --- [io-8080-exec-10] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'GET /login' doesn't match 'OPTIONS /'
2019-06-25 10:58:52.963 DEBUG 4166 --- [io-8080-exec-10] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/login'; against '/app/**'
2019-06-25 10:58:52.963 DEBUG 4166 --- [io-8080-exec-10] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/login'; against '/login'
2019-06-25 10:58:52.963 DEBUG 4166 --- [io-8080-exec-10] o.s.s.w.a.i.FilterSecurityInterceptor : Secure object: FilterInvocation: URL: /login?code=[redacted]&state=[redacted]; Attributes: [permitAll]
2019-06-25 10:58:52.963 DEBUG 4166 --- [io-8080-exec-10] o.s.s.w.a.i.FilterSecurityInterceptor : Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@6bc44a5c: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffc7f0c: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 7AE9900602736997387E290E40F7986C; Granted Authorities: ROLE_ANONYMOUS
2019-06-25 10:58:52.963 DEBUG 4166 --- [io-8080-exec-10] o.s.s.access.vote.AffirmativeBased : Voter: org.springframework.security.web.access.expression.WebExpressionVoter@2b3f7dfc, returned: 1
2019-06-25 10:58:52.963 DEBUG 4166 --- [io-8080-exec-10] o.s.s.w.a.i.FilterSecurityInterceptor : Authorization successful
2019-06-25 10:58:52.964 DEBUG 4166 --- [io-8080-exec-10] o.s.s.w.a.i.FilterSecurityInterceptor : RunAsManager did not change Authentication object
2019-06-25 10:58:52.964 DEBUG 4166 --- [io-8080-exec-10] o.s.security.web.FilterChainProxy : /login?code=[redacted]&state=[redacted] reached end of additional filter chain; proceeding with original chain
2019-06-25 10:58:52.965 WARN 4166 --- [io-8080-exec-10] o.s.web.servlet.PageNotFound : No mapping for GET /login
2019-06-25 10:58:52.965 DEBUG 4166 --- [io-8080-exec-10] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@3dba75bf
2019-06-25 10:58:52.966 DEBUG 4166 --- [io-8080-exec-10] o.s.s.w.a.ExceptionTranslationFilter : Chain processed normally
2019-06-25 10:58:52.966 DEBUG 4166 --- [io-8080-exec-10] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
2019-06-25 10:58:52.966 DEBUG 4166 --- [io-8080-exec-10] o.s.s.w.u.matcher.AntPathRequestMatcher : Request '/error' matched by universal pattern '/**'
2019-06-25 10:58:52.966 DEBUG 4166 --- [io-8080-exec-10] o.s.security.web.FilterChainProxy : /error?code=[redacted]&state=[redacted] at position 1 of 15 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2019-06-25 10:58:52.966 DEBUG 4166 --- [io-8080-exec-10] o.s.security.web.FilterChainProxy : /error?code=[redacted]&state=[redacted] at position 2 of 15 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2019-06-25 10:58:52.966 DEBUG 4166 --- [io-8080-exec-10] o.s.security.web.FilterChainProxy : /error?code=[redacted]&state=[redacted] at position 3 of 15 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2019-06-25 10:58:52.966 DEBUG 4166 --- [io-8080-exec-10] o.s.security.web.FilterChainProxy : /error?code=[redacted]&state=[redacted] at position 4 of 15 in additional filter chain; firing Filter: 'CsrfFilter'
2019-06-25 10:58:52.966 DEBUG 4166 --- [io-8080-exec-10] o.s.security.web.FilterChainProxy : /error?code=[redacted]&state=[redacted] at position 5 of 15 in additional filter chain; firing Filter: 'LogoutFilter'
2019-06-25 10:58:52.966 DEBUG 4166 --- [io-8080-exec-10] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'GET /error' doesn't match 'POST /logout'
2019-06-25 10:58:52.966 DEBUG 4166 --- [io-8080-exec-10] o.s.security.web.FilterChainProxy : /error?code=[redacted]&state=[redacted] at position 6 of 15 in additional filter chain; firing Filter: 'OAuth2AuthorizationRequestRedirectFilter'
2019-06-25 10:58:52.966 DEBUG 4166 --- [io-8080-exec-10] o.s.security.web.FilterChainProxy : /error?code=[redacted]&state=[redacted] at position 7 of 15 in additional filter chain; firing Filter: 'OAuth2LoginAuthenticationFilter'
2019-06-25 10:58:52.966 DEBUG 4166 --- [io-8080-exec-10] o.s.s.w.util.matcher.AndRequestMatcher : Trying to match using Ant [pattern='/login/oauth2/code/*']
2019-06-25 10:58:52.966 DEBUG 4166 --- [io-8080-exec-10] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/error'; against '/login/oauth2/code/*'
2019-06-25 10:58:52.966 DEBUG 4166 --- [io-8080-exec-10] o.s.s.w.util.matcher.AndRequestMatcher : Did not match
2019-06-25 10:58:52.966 DEBUG 4166 --- [io-8080-exec-10] o.s.security.web.FilterChainProxy : /error?code=[redacted]&state=[redacted] at position 8 of 15 in additional filter chain; firing Filter: 'DefaultLoginPageGeneratingFilter'
2019-06-25 10:58:52.967 DEBUG 4166 --- [io-8080-exec-10] o.s.security.web.FilterChainProxy : /error?code=[redacted]&state=[redacted] at position 9 of 15 in additional filter chain; firing Filter: 'DefaultLogoutPageGeneratingFilter'
2019-06-25 10:58:52.967 DEBUG 4166 --- [io-8080-exec-10] o.s.security.web.FilterChainProxy : /error?code=[redacted]&state=[redacted] at position 10 of 15 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2019-06-25 10:58:52.967 DEBUG 4166 --- [io-8080-exec-10] o.s.security.web.FilterChainProxy : /error?code=[redacted]&state=[redacted] at position 11 of 15 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2019-06-25 10:58:52.967 DEBUG 4166 --- [io-8080-exec-10] o.s.security.web.FilterChainProxy : /error?code=[redacted]&state=[redacted] at position 12 of 15 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2019-06-25 10:58:52.967 DEBUG 4166 --- [io-8080-exec-10] o.s.s.w.a.AnonymousAuthenticationFilter : Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@6bc44a5c: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffc7f0c: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 7AE9900602736997387E290E40F7986C; Granted Authorities: ROLE_ANONYMOUS'
2019-06-25 10:58:52.967 DEBUG 4166 --- [io-8080-exec-10] o.s.security.web.FilterChainProxy : /error?code=[redacted]&state=[redacted] at position 13 of 15 in additional filter chain; firing Filter: 'SessionManagementFilter'
2019-06-25 10:58:52.967 DEBUG 4166 --- [io-8080-exec-10] o.s.security.web.FilterChainProxy : /error?code=[redacted]&state=[redacted] at position 14 of 15 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2019-06-25 10:58:52.967 DEBUG 4166 --- [io-8080-exec-10] o.s.security.web.FilterChainProxy : /error?code=[redacted]&state=[redacted] at position 15 of 15 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2019-06-25 10:58:52.967 DEBUG 4166 --- [io-8080-exec-10] o.s.security.web.FilterChainProxy : /error?code=[redacted]&state=[redacted] reached end of additional filter chain; proceeding with original chain
2019-06-25 10:58:52.970 DEBUG 4166 --- [io-8080-exec-10] o.s.s.w.a.ExceptionTranslationFilter : Chain processed normally
2019-06-25 10:58:52.970 DEBUG 4166 --- [io-8080-exec-10] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|