I’m trying to upgrade Spring Boot 2.7 to Spring boot 3.0. As WebSecurityConfigurerAdapter is deprecated in Spring 3.0 I’m going ahead with the filterChain approach.

    @Bean
AuthenticationManager authenticationManagerag(HttpSecurity http) {
    try {
        AuthenticationManagerBuilder authenticationManagerBuilder =
                http.getSharedObject(AuthenticationManagerBuilder.class);
        authenticationManagerBuilder.authenticationProvider(authenticationProvider);
        return authenticationManagerBuilder.build();
    } catch (final Exception e) {
        throw new BeanInitializationException("Security configuration failed", e);
    }
}


@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {

        http
            .csrf(AbstractHttpConfigurer::disable)
            .cors(AbstractHttpConfigurer::disable)
            .authorizeHttpRequests(auth -> auth
                    .requestMatchers(HttpMethod.OPTIONS).permitAll()
                    .requestMatchers("/management/**").permitAll()
                    .requestMatchers("/swagger-resources/configuration/ui").permitAll()
                    .requestMatchers("/v3/api-docs/**").permitAll()
                    .requestMatchers("/api-docs/**").permitAll()
                    .requestMatchers("/health/**").permitAll()
                    .requestMatchers("/swagger-ui/index.html").permitAll()
                    .requestMatchers("/api/v1/**").authenticated()
                    .requestMatchers("/api/**").authenticated()

            )
            .addFilterBefore(new AuthFilter(), UsernamePasswordAuthenticationFilter.class)
            .addFilterAfter(new myAuthFilter(), AuthFilter.class)
            .sessionManagement(session -> session
                    .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
            )
            .formLogin(AbstractHttpConfigurer::disable)
            .httpBasic(AbstractHttpConfigurer::disable)
            .logout(AbstractHttpConfigurer::disable);
    return http.build();
}

After updating this, I’m getting a 403 Forbidden whenever I hit a endpoint in api/v1 path. But If I .requestMatchers("/api/**").permitAll() at the top of requestMatchers and hit the api/v1 path it works fine. In both instances auth filters correctly work.

First I thought there was a issue with the order i provided the requestMatchers, but I’m unable to find the issue with this.

For Logs I only get the following.

2024-07-12 21:38:51,898|DEBUG|[http-nio-8085-exec-3]|[][][]|org.springframework.security.web.session.SessionManagementFilter.doFilter – Request requested invalid session id 4B623F9606114F7B3A96E4BA1404524C
2024-07-12 21:38:51,909|DEBUG|[http-nio-8085-exec-3]|[][][]|org.springframework.security.web.access.AccessDeniedHandlerImpl.handle – Responding with 403 status code
2024-07-12 21:38:51,923|DEBUG|[http-nio-8085-exec-3]|[][][]|org.springframework.security.web.FilterChainProxy.doFilterInternal – Securing GET /error
2024-07-12 21:38:51,929|DEBUG|[http-nio-8085-exec-3]|[][][]|org.springframework.security.web.authentication.AnonymousAuthenticationFilter.defaultWithAnonymous – Set SecurityContextHolder to anonymous SecurityContext
2024-07-12 21:38:51,930|DEBUG|[http-nio-8085-exec-3]|[][][]|org.springframework.security.web.authentication.Http403ForbiddenEntryPoint.commence – Pre-authenticated entry point called. Rejecting access
2024-07-12 21:38:52,070|DEBUG|[taskScheduler-2]|[][][]|org.apache.hc.client5.http.impl.io.PoolingHttpClientConnectionManager.closeExpired – Closing expired connections
2024-07-12 21:38:52,071|DEBUG|[taskScheduler-2]|[][][]|org.apache.hc.client5.http.impl.io.PoolingHttpClientConnectionManager.closeIdle – Closing connections idle longer than 30 SECONDS