spring boot secure rest api with spring security

Question

i have web-app and i want to secure my rest API i follow some tutorial and i succeeded to implement that the rest API is secure. but when i added html files in my web-app when i calling those pages for the first time it show me the login area to enter. i just want to secure the rest API not all the web-app
in my case this is my application.properties

spring.datasource.url=jdbc:mysql://localhost/geekycoders_myteam
spring.datasource.username=root
spring.datasource.password=root
spring.datasource.driver-class-name=com.mysql.jdbc.Driver
spring.jpa.database-platform=org.hibernate.dialect.MySQL5Dialect
spring.jpa.hibernate.ddl-auto=update
spring.jpa.generate-ddl=true
logging.level.org.springframework.boot.autoconfigure.security=INFO
security.user.name=admin
security.user.password=admin

and this is my SecurityConfig class

public class SecurityConfig extends WebSecurityConfigurerAdapter {
      @Override
      protected void configure(HttpSecurity http) throws Exception {
        http
          .csrf().disable()
          .authorizeRequests()
            .antMatchers(HttpMethod.POST, "/api/**").authenticated()
            .antMatchers(HttpMethod.PUT, "/api/**").authenticated()
            .antMatchers(HttpMethod.DELETE, "/api/**").authenticated()
            .antMatchers(HttpMethod.GET, "/api/**").authenticated()
            .anyRequest().permitAll()
            .and()
          .httpBasic().and()
          .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
      }
    }

and this is a sample controller

@RestController
@RequestMapping("/api/user")
public class UserController {

    @Autowired
    UserRepository userRepository;

    @RequestMapping("/findall")
    @ResponseBody
    public List<User> findall(){
        return userRepository.findAll();

    }
    @RequestMapping("/find")
    @ResponseBody
    public User getUser(@PathParam("id") int id){
        return userRepository.findOne(id);
    }

}

and i have index.html into directory webapp some help

score 0 · Answer 1 · answered Aug 31 '18 at 18:11

0

If anyone is reading this now, I have noticed that by including Spring Security in your build file, the authorization is enabled by default on the entire application as a whole.

answered Aug 31 '18 at 18:11

James P.

16
7

score -1 · Answer 2 · answered Feb 17 '17 at 13:31

-1

Nothing wrong with your code. You would need to set up a default configuration as well which will permit everything else. XML equivalent security expression could be like this (Make sure you put it in the right order):

 <security:http use-expressions="true" pattern="/**">
    <security:intercept-url pattern="/**" access="permitAll()"/>
 </security:http>

answered Feb 17 '17 at 13:31

sanjeev

11
1

try these lines of code after .antMatchers(HttpMethod.GET, "/api/**").authenticated() .antMatchers(HttpMethod.GET, "/**").permitAll() – sanjeev Feb 17 '17 at 15:38

score -1 · Answer 3 · answered Feb 17 '17 at 13:34

-1

You can permit access to some of your directories:

http.authorizeRequests().antMatchers("/css/**", "/js/**", "/images/**").permitAll();

answered Feb 17 '17 at 13:34

B. Bri

546
2
7
23

i need to permit access to my html files without prompting to login – Mohamed chiheb Ben jemaa Feb 17 '17 at 13:39
You can add /html/** to the list to have access to all files placed under that directory. They are path, in my case I place files in different directories. If your files are at the root you can simply add "/**". – B. Bri Feb 17 '17 at 13:52

spring boot secure rest api with spring security

3 Answers3