Oauth2 jwt not work if no Authorization attribute in http header or Authorization not start with 'Bearer '

[tongshushan]

Hello,
I use Oauth2 jwt connected to the keycloak server to verify the user's jwt token, but I find if there's no Authorization attribute in the http header or the no the keyword Bearer in token, the jwt validation is not working(even the token is expired), did I misconfig anything?

Below are the 3 methods to call my api , I use the expired token to test:

method 1:
curl --location 'http://localhost:8080/api/xxxx' --header 'Authorization: Bearer expiredToken'
returns 401 (works as expected)

method 2, no Authorization attribute in header:
curl --location 'http://localhost:8080/api/xxxx'
expected to return 401 but returns 200

method 3, the token has no Bearer :
curl --location 'http://localhost:8080/api/xxxx' --header 'Authorization: expiredToken'
expected to return 401 but returns 200

To Reproduce
oauth2 jwt config as below(issuer-uri is the keycloak server)

spring:
  security:
    oauth2:
      resourceserver:
        jwt:
          issuer-uri: https://abcd.com/auth/realms/athena-dev
          jwk-set-uri: https://abcd.com/auth/realms/athena-dev/protocol/openid-connect/certs

oauth2 version
org.springframework.security:spring-security-oauth2-resource-server:jar:5.1.2.RELEASE
and
org.springframework.security:spring-security-oauth2-resource-server:jar:6.2.4

[rohitsirohi85]

hey i read your issue and according to your problem there is must be a wrong logic error , you have to check Security and authorization of your endpoints. Maybe you did not set the secure endpoint for api that's why is you provide no Auth it is still running , Maybe you make that api publicly accessible.

[tongshushan]

Hi @rohitsirohi85 ,
I think I have not make the api as public, because if I call the api as below,got 401, that means oauth2 works, right?

curl --location 'http://localhost:8080/api/xxxx' --header 'Authorization: Bearer expiredToken'

[tongshushan]

I find the root cause is this line:

httpSecurity.addFilterAfter(getMyAuthenticationRequestFilterBean(), BearerTokenAuthenticationFilter.class);

if I remove this line, will get 401 if no Authorization or Bearer .

But this line will parse and get some info from jwt token and do some bussiness logic in the Filter. So if I remove it, is there any way to do the same logic but not impact the Authorization vaidation?

@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Value("${spring.mvc.servlet.path}")
    private String BASE_URL;

    @Override
    protected void configure(HttpSecurity httpSecurity) throws Exception {
        httpSecurity.csrf().ignoringAntMatchers("/**");
        // validate jwt token at first
        httpSecurity.cors().and().oauth2ResourceServer().jwt();
        httpSecurity          
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
                .authorizeRequests()
                .antMatchers(BASE_URL + "/api/xxxx").hasAnyAuthority(ADMIN)
                .anyRequest().authenticated()
                .and()
                .exceptionHandling().accessDeniedPage(BASE_URL + "/access");
        httpSecurity.addFilterAfter(getMyAuthenticationRequestFilterBean(), BearerTokenAuthenticationFilter.class);
        httpSecurity.headers().cacheControl();
    }
....
}