Skip to content

CloudFoundry security matcher logs a warning due to use of the 'ignoring()' method #32622

New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom
Closed
jzheaux opened this issue Oct 6, 2022 · 4 comments
Closed

CloudFoundry security matcher logs a warning due to use of the 'ignoring()' method #32622

jzheaux opened this issue Oct 6, 2022 · 4 comments
Assignees
@philwebb
Labels
type: bug A general bug
Milestone
3.5.0

Comments

@jzheaux
Copy link
Contributor

jzheaux commented Oct 6, 2022

Spring Security 5.8/6 supports delaying the lookup of the SecurityContext until an authorization rule requires it.

As such, it's preferred to use authorizeHttpRequests#permitAll over web.ignoring(). In the past web.ignoring() was added as a quick workaround to address the performance impact of looking up the SecurityContext on every request. Now, Spring Security defers that work until authorization-time and in the case of permitAll, no authorization is performed.

Consider the following application:

@Bean 
SecurityFilterChain app(HttpSecurity http) {
    http
        .authorizeHttpRequests((authorize) -> authorize
                .anyRequest().authenticated()
        )
        // ...

    return http.build();
}

@Bean 
WebSecurityCustomizer ignore() {
    return (web) -> web.ignoring().antMatchers("/cloudfoundry/**");
}

The behavior of the above application asks Spring Security to protect all endpoints other than /cloudfoundry.

As of Spring Security 5.7, this produces a warning that web.ignoring() is not recommended since this prevents Spring Security from using its WAF and writing secure HTTP response headers for those ignored endpoints.

Alternatively, the application can do the following:

@Bean 
SecurityFilterChain app(HttpSecurity http) {
    http
        .authorizeHttpRequests((authorize) -> authorize
                .mvcMatchers("/cloudfoundry/**").permitAll()
                .anyRequest().authenticated()
        )
        // ...

    return http.build();
}

Or, if it should be considered entirely separate:

@Bean 
SecurityFilterChain app(HttpSecurity http) {
    http
        .authorizeHttpRequests((authorize) -> authorize.anyRequest().authenticated())
        // ...

    return http.build();
}

@Bean 
@Order(-1)
SecurityFilterChain cloudfoundry(HttpSecurity http) {
    http
        .securityMatchers((matches) -> matches.requestMatchers("/cloudfoundry/**"))
        .authorizeHttpRequests((authorize) -> authorize.anyRequest().permitAll());

    return http.build();
}

This has the additional benefit of removing Spring Security's warning message.
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Oct 6, 2022
@mbhave mbhave added type: bug A general bug and removed status: waiting-for-triage An issue we've not yet triaged labels Nov 2, 2022
@mbhave mbhave added this to the 2.7.x milestone Nov 2, 2022
@mayrstefan mayrstefan mentioned this issue Nov 2, 2022
Closed
@somayaj
Copy link
Contributor

somayaj commented May 26, 2023
edited
Loading

Hi @mbhave @maystefan @jzheaux is this still a bug to be worked on?

@philwebb philwebb modified the milestones: 2.7.x, 3.1.x Nov 8, 2023
@somayaj
Copy link
Contributor

somayaj commented Feb 20, 2024

Hello, is there an agreement here on the approach to follow?

@scottfrederick
Copy link
Contributor

@somayaj We haven't had the time to look closer at this issue with other priorities we're working on.

@mhalbritter mhalbritter mentioned this issue Apr 16, 2024
Closed
@wilkinsona wilkinsona modified the milestones: 3.1.x, 3.2.x May 20, 2024
@philwebb philwebb modified the milestones: 3.2.x, 3.3.x Nov 20, 2024
@philwebb philwebb self-assigned this May 6, 2025
@philwebb philwebb modified the milestones: 3.3.x, 3.5.x May 6, 2025
@philwebb philwebb changed the title Use permitAll for CloudFoundry endpoints Cloud Foundry security matcher logs a warning due to use of the 'ignoring()' method May 6, 2025
@philwebb philwebb changed the title Cloud Foundry security matcher logs a warning due to use of the 'ignoring()' method CloudFoundry security matcher logs a warning due to use of the 'ignoring()' method May 6, 2025
@philwebb
Copy link
Member

philwebb commented May 6, 2025

I've moved this to 3.5.x since I'm not sure we really want to change the security config in a patch release. @jzheaux, Could you review 0386fbe if you get a chance and see if it's what you had in mind.

@philwebb philwebb modified the milestones: 3.5.x, 3.5.0 May 6, 2025
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@philwebb philwebb

Labels
type: bug A general bug
Projects
None yet
Milestone
3.5.0
Development

No branches or pull requests
7 participants
@scottfrederick @philwebb @wilkinsona @mbhave @jzheaux @spring-projects-issues @somayaj