0

In my Spring Boot application, I configure Spring Security as

@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

  @Override
  public void configure(HttpSecurity http) throws Exception {
    http.csrf().disable().authorizeRequests()
        .antMatchers("/css/**", "/js/**", "/images/**", "**/index.html").permitAll()
        .antMatchers("/**.html").permitAll()
        .antMatchers(HttpMethod.POST, "/login").permitAll()
        .anyRequest().authenticated()
        .and()
        .addFilterBefore(new LoginFilter("/login"), BasicAuthenticationFilter.class)
        .addFilterBefore(new TokenFilter(), BasicAuthenticationFilter.class);
  }
}

I have index.html under resources/static/index.html. This stopped serving after I enabled security. What am I missing?

If I go back when I do not have any security, I get my HTML rendered on server.

Vy Do
  • 46,709
  • 59
  • 215
  • 313
daydreamer
  • 87,243
  • 191
  • 450
  • 722
  • 1
    Does .antMatchers("/*.html").permitAll() work for you? I was under the impression that ** is for directories and * for characters: http://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/util/AntPathMatcher.html – Adam Gerard May 06 '17 at 01:41
  • that does not work either – daydreamer May 06 '17 at 02:17
  • Did you annotate your `WebSecurityConfig` class with `@Configuration`? And show your `LoginFilter` and `TokenFilter`. – dur May 06 '17 at 09:35
  • And what response do you get? 401, 403 or ... – dur May 06 '17 at 09:40

2 Answers2

0

try to change to /**/index.html. For Ant path matcher

? matches one character
* matches zero or more characters
** matches zero or more directories in a path
{spring:[a-z]+} matches the regexp [a-z]+ as a path variable named "spring"
chaoluo
  • 2,596
  • 1
  • 17
  • 29
  • nope, there is somethings about the order I guess which is wrong – daydreamer May 06 '17 at 06:33
  • 1
    You can debug in `org.springframework.security.web.FilterChainProxy#doFilterInternal` to watch all the filter chains. or you can enable the spring security debugger to watch the logger. – chaoluo May 06 '17 at 08:20
0

I came across the same issue. I followed this to solve basic static content issue where adding a configuration class that extends WebMvcConfigurer solved that issue.

But it was just a @Configuration bean.

When I changed it to @EnableWebMvc as mentioned here, static content loaded after enabling Spring Security.

Interestingly when I had both annotation, it didn't work.

Abraham Zsombor Nagy
  • 53
  • 4