Ever since I’ve upgraded my Spring Boot version from 2.0 to 3.0. I’m getting a whitelabel error page with the following message:
This application has no explicit mapping for /error, so you are seeing this as a fallback.
Thu Jul 11 12:50:49 CEST 2024
There was an unexpected error (type=Forbidden, status=403).
Forbidden
But if I enter the URL “http://localhost:8080/application/” and navigate to “/admin” or any other defined path in securityFilterChain, it opens normally without any issues.
I can’t pinpoint what exactly is wron. Below is the relevant code (SecurityConfiguration) file.
package de.example.application.config;
import java.io.InputStream;
import java.security.cert.X509Certificate;
import java.security.cert.CertificateFactory;
import java.security.interfaces.RSAPrivateKey;
import com.vaadin.flow.spring.security.RequestUtil;
import de.bmg.kraftfahrer.utils.ApplicationConstants;
import org.springframework.core.io.ClassPathResource;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.core.io.Resource;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.saml2.core.Saml2X509Credential;
import org.springframework.security.saml2.provider.service.registration.InMemoryRelyingPartyRegistrationRepository;
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository;
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrations;
import org.springframework.security.saml2.provider.service.web.DefaultRelyingPartyRegistrationResolver;
import org.springframework.security.saml2.provider.service.web.RelyingPartyRegistrationResolver;
import org.springframework.security.web.SecurityFilterChain;
@EnableWebSecurity
@Configuration
public class SecurityConfiguration {
@Value("${saml.idpURL}")
private String idpMetadataURL;
@Value("${spring.security.saml2.relyingparty.registration.sp.entity-id}")
private String entityId;
@Value("${spring.security.saml2.relyingparty.registration.sp.acs.location}")
private String acsLocation;
@Value("${saml.registrationid}")
String registrationId;
boolean securityDebug;
@Bean
SecurityFilterChain securityFilterChain(HttpSecurity http, RequestUtil requestUtil) throws Exception {
http.csrf(cfg -> cfg.ignoringRequestMatchers(requestUtil::isFrameworkInternalRequest));
http.authorizeHttpRequests(authorize -> authorize
.requestMatchers("/user/*").hasAnyRole(ApplicationConstants.APPLICATION_USER.toString())
.requestMatchers("/admin/*").hasAuthority(ApplicationConstants.APPLICATION_ADMIN.toString())
//.requestMatchers("/error").permitAll()
.requestMatchers("/h2-console/**").permitAll()
.anyRequest().authenticated()
).saml2Login(saml2 -> {});
return http.build();
}
@Bean
RelyingPartyRegistrationResolver relyingPartyRegistrationResolver(RelyingPartyRegistrationRepository registrations) {
return new DefaultRelyingPartyRegistrationResolver(id -> registrations.findByRegistrationId(registrationId));
}
@Bean
RelyingPartyRegistrationRepository repository(@Value("classpath:saml/idpbmg.pkcs8") RSAPrivateKey privateKey) {
Saml2X509Credential signing = Saml2X509Credential.signing(privateKey, relyingPartyCertificate());
RelyingPartyRegistration relyingPartyRegistration = RelyingPartyRegistrations
.fromMetadataLocation(idpMetadataURL).entityId(entityId).assertionConsumerServiceLocation(acsLocation)
.registrationId(registrationId).signingX509Credentials(credentials -> credentials.add(signing)).build();
return new InMemoryRelyingPartyRegistrationRepository(relyingPartyRegistration);
}
X509Certificate relyingPartyCertificate() {
Resource resource = new ClassPathResource("saml/idpbmg.cer");
try (InputStream is = resource.getInputStream()) {
return (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(is);
} catch (Exception ex) {
throw new UnsupportedOperationException(ex);
}
}
}
- I have checked my security configuration but couldn’t identify the issue.
- The endpoints mapping seems to work fine when accessed directly.
when entering the URL http://localhost:8080/application/admin/, it should not display a Whitelabel Error Page but rather the expected page.
user2 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.