47

The resource is under src/main/resources/static/css or src/main/resources/static/js, I'm using spring boot, and the class of security is:

@Configuration
@EnableWebMvcSecurity
@EnableGlobalAuthentication
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
//      http.authorizeRequests().antMatchers("/", "/index", "/quizStart")
//              .permitAll().anyRequest().authenticated();
//      http.formLogin().loginPage("/login").permitAll().and().logout()
//              .permitAll();
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth)
            throws Exception {
        auth.inMemoryAuthentication().withUser("test").password("test")
                .roles("USER");
    }
}

It works well (resources can be loaded) when I access "/index" from browser, however, if I uncomment the four lines in the class, resources can not be loaded, the four lines means:

    http.authorizeRequests().antMatchers("/", "/index", "/quizStart")
            .permitAll().anyRequest().authenticated();
    http.formLogin().loginPage("/login").permitAll().and().logout()
            .permitAll();

Could anyone help with this ? Thanks in advance.

jww
  • 97,681
  • 90
  • 411
  • 885
Junjie
  • 1,145
  • 3
  • 21
  • 37

8 Answers8

38

You probably want to make sure to have your directory containing those items set as permitAll.

Here's an excerpt from my spring security context file. Under the resources directory, I have js, css, and images folders which are given permissions by this line.

<security:intercept-url pattern="/resources/**" access="permitAll" />
John Humphreys
  • 37,047
  • 37
  • 155
  • 255
  • 25
    thanks for your notification, I add line `http.authorizeRequests().antMatchers("/css/**", "/js/**", "/images/**").permitAll();` into `protected void configure(HttpSecurity http)` and then it works, thanks a lot. – Junjie Aug 18 '14 at 17:32
  • 1
    No problem. I used a pretty sweet maven archetype I found online to generate this project, and it started out with a working, spring MVC, spring security, JPA, and thymeleaf project. It's got a very good spring java config setup by default, you might want to check it out: https://github.com/kolorobot/spring-mvc-quickstart-archetype. – John Humphreys Aug 18 '14 at 17:46
  • It's really good to me and I have join the watched list, will have a try later, thanks again~ – Junjie Aug 18 '14 at 17:53
  • Where should this file be located? Any examples? – Martin Erlic Feb 06 '17 at 17:03
  • 1
    Spring Boot will, by default, permit access to `/css/**`, `/js/**`, `/images/**`, and `/**/favicon.ico`. – Shubham A. Apr 04 '17 at 14:59
  • @Junjie Thanks a lot bro! :D – Skizo-ozᴉʞS ツ Nov 24 '17 at 12:03
18

For some reason, this did not work for me:

http.authorizeRequests().antMatchers("/resources/**").permitAll();

I had to add this:

http.authorizeRequests().antMatchers("/resources/**").permitAll().anyRequest().permitAll();

Also, this line has to be after the code which restrics access.

Str
  • 213
  • 2
  • 3
  • 7
    In this way you removed all security, the '.anyRequest().permitAll()' will permit all requests, you must find the right path to your resources and use it. If you use spring security, then usually anyRequest() has to be authenticated() – Frighi Feb 08 '19 at 11:06
  • you might as well not even do the first antmatcher then lol – Braden Borman Jun 20 '22 at 17:17
13

Add following 

@Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring().antMatchers("/resources/**").anyRequest();
    }
Yogesh Bombe
  • 325
  • 3
  • 18
11

you can also use directly like "/*.js" for specific file or "/resources/**" for directory 

 http.authorizeRequests()
                .antMatchers("/", "/login", "/logout", "/error").permitAll()
                .antMatchers("/resources/**").permitAll()
                .antMatchers("/*.js").permitAll()
                .antMatchers("/api/**").authenticated()
Om Prakash Sharma
  • 1,682
  • 22
  • 13
10

I had the same problem and the permitAll() solution didn't work for me. I added the following @Overridemethod to my WebSecurityConfigclass.

@Override
public void configure(WebSecurity web) throws Exception {
    web
            .ignoring()
            .antMatchers("/resources/**", "/static/**", "/css/**", "/js/**", "/img/**", "/icon/**");
}

Good Luck!

Athena
  • 302
  • 4
  • 16
0

I had the same problem and changing access to "permitAll" didn't help. I created a new http pattern where I set security to "none" and then I was able to download the css and js files without authentication. 

<http pattern="/resources/**" security="none" />
JohnP
  • 1,046
  • 2
  • 16
  • 29
0

This finally worked for me. The /home (which will bring up the login page) and error messages do not need authentication. All the resources are permitAll, and the /main url is authenticated. Any other url (eg. /users /customers etc..) would need to be added as isAuthenticated() 

  <security:intercept-url pattern="/home" access="isAnonymous()"/>
  <security:intercept-url pattern="/error*" access="isAnonymous()"/>      
  <security:intercept-url pattern="/main" access="isAuthenticated()"/>
  <security:intercept-url pattern="/css/**" access="permitAll" />     
  <security:intercept-url pattern="/js/**" access="permitAll" />
  <security:intercept-url pattern="/fonts/**" access="permitAll" />
  <security:intercept-url pattern="/images/**" access="permitAll" />
Shahriar
  • 303
  • 4
  • 12
0

.antMatchers("/.js", "/.css").permitAll()

Braden Borman
  • 309
  • 1
  • 8