6

In my Spring Boot application, I have:

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    ...
    @Override
    protected void configure(HttpSecurity httpSecurity)
        throws Exception 
    {
        httpSecurity
            .authorizeRequests()
            // various GET/POST path enable rules, none of which would enable access to default ones (see log below)
            ...
            // finally, deny everything else
            .antMatchers("/**").denyAll()
            ...
    }
}

At startup, the log shows:

2016-01-29 13:20:49.379  INFO 8044 --- [ost-startStop-1] o.s.s.web.DefaultSecurityFilterChain     : Creating filter chain: OrRequestMatcher [requestMatchers=[Ant [pattern='/css/**'], Ant [pattern='/js/**'], Ant [pattern='/images/**'], Ant [pattern='/**/favicon.ico'], Ant [pattern='/error']]], []

and I can access, for example, localhost:8080/blah/favicon.ico even though I would expect it to be blocked.

I tried to follow recommendations in Security configuration with Spring-boot and Spring Security exclude url patterns in security annotation configurartion.

Per docs at http://docs.spring.io/spring-boot/docs/current-SNAPSHOT/reference/htmlsingle/#boot-features-security, I also tried setting security.ignored to various paths, as well as annotating the above class with @Order(SecurityProperties.ACCESS_OVERRIDE_ORDER), all to no avail.

Is there a simple way to disable the DefaultSecurityFilterChain so that it does not add these ignored (insecure) paths for common static resource locations?

If not, what is the proper configuration, either in Java or in application.properties, to disable these paths?

OK, so there are two ways to do it:

In application.properties, set security.ignored=none.

Or, create the following class:

@Component
public class CustomSecurityProperties extends SecurityProperties {
    public CustomSecurityProperties() {
        // the default list is empty
        List<String> ignoredPaths = getIgnored();
        ignoredPaths.add("none");
    }
}

A hint for the magic none came from lines 121-130 of SpringBootWebSecurityConfiguration at https://github.com/spring-projects/spring-boot/blob/master/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/SpringBootWebSecurityConfiguration.java

Either solution still leaves the following in the log:

2016-01-29 17:53:12.830  INFO 3008 --- [           main] o.s.w.s.handler.SimpleUrlHandlerMapping  : Mapped URL path [/**/favicon.ico] onto handler of type [class org.springframework.web.servlet.resource.ResourceHttpRequestHandler]

This indicates that a ResourceHttpRequestHandler is created to serve the favicon.ico file. However, /blah/favicon.ico can no longer be accessed.

Community
  • 1
  • 1
user1408140
  • 639
  • 3
  • 9
  • 20
  • What do you have under // various GET/POST path enable rules? – Brian Kates Jan 29 '16 at 18:54
  • A long list of paths parameterized by `public static final String ...`, which is why I did not publish them. For the anonymous HttpMethod.GET, these paths certainly do not include the said `/blah/favicon.ico` that I used for the simple test. That path is clearly enabled by a default rule. Another test that I just tried was to access `/css/favicon.ico` -- since I use `/styles` instead of `/css`, it should have not succeeded but it did. – user1408140 Jan 29 '16 at 19:09
  • 1
    Have you looked at the Actuator to determine what auto-configuration may have added it? http://docs.spring.io/spring-boot/docs/current/reference/htmlsingle/#production-ready – nicholas.hauschild Jan 29 '16 at 19:58
  • @nicholas.hauschild Re-reading the docs I referenced above, the responsible component seems to be `SpringBootWebSecurityConfiguration`. Apparently, it can be controlled via `SecurityProperties` or via the externalized application properties (which, presumably means the security.ignored, which I could not get to work). So, I will try to experiment with a `SecurityProperties` bean. – user1408140 Jan 29 '16 at 20:56
  • I figured it out -- see update above. – user1408140 Jan 29 '16 at 23:20
  • You can achieve the same result by `@EnableWebSecurity` annotation at your `@Configuration` class – WildDev Jan 29 '17 at 20:09
  • @user1408140 when you answer your own question you need to actually add an _answer_ – Michael Wiles Dec 24 '21 at 05:49

1 Answers1

0

In your last antmatcher to be denied have specific urls withour having the single slash which will block all endpoints

Maurice Omosh
  • 1
  • 2