2

I'm building a Spring MVC application with Spring Security and Bootstrap in my HTML files (JSP).

I am currently working to fix the following error in my application:

"Refused to execute script from 'http://localhost:8080/App/Template/js/modernizr.min.js' because its MIME type ('text/html') is not executable, and strict MIME type checking is enabled." (login page of app)

The error message above comes from the chrome developer console.

Here the basic configuration

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(securedEnabled=true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter{

@Autowired
      protected void globalConfig(AuthenticationManagerBuilder auth, DataSource dataSource) throws Exception {
     //auth.inMemoryAuthentication().withUser("user").password("123").roles("USER");
         auth.jdbcAuthentication()
             .dataSource(dataSource)
             //.passwordEncoder(passwordEncoder()) décrupt paswd
             .usersByUsernameQuery("select username as principal, password as credentials, etat as actived from utilisateurs where username=?")
             .authoritiesByUsernameQuery("select u.username as principal, ur.nom_role as role from utilisateurs u inner join roles ur on(u.roles_id=ur.id_role) where u.username=?")
             .rolePrefix("ROLE_");
     }

@Bean
    public PasswordEncoder passwordEncoder(){
        PasswordEncoder encoder = new BCryptPasswordEncoder();
        return encoder;
    }

    @Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring().antMatchers("/resources/**");
    }

protected void configure(HttpSecurity http) throws Exception {

        http
          .sessionManagement().maximumSessions(100).maxSessionsPreventsLogin(false).expiredUrl("/Login");
          http
           .authorizeRequests()
           .antMatchers("/images/**","/pdf/**","/Template/**","/Views/**","/MainApp.js","/css/**", "/js/**").permitAll()
           .antMatchers("/Users/**").access("hasRole('ADMIN')")
           .antMatchers("/Login").anonymous()
           .anyRequest().authenticated()
           .and()
           .exceptionHandling().accessDeniedPage("/403")
           .and()
           .formLogin().loginPage("/Login").permitAll()
           .defaultSuccessUrl("/")
           .failureUrl("/Login?error=true")
               .and()
               .csrf()
               .and()
                .rememberMe().tokenRepository(persistentTokenRepository())
                .tokenValiditySeconds(360000);
   }

@Autowired
DataSource dataSource;

@Bean
public PersistentTokenRepository persistentTokenRepository() {
        JdbcTokenRepositoryImpl db = new JdbcTokenRepositoryImpl();
        db.setDataSource(dataSource);
        return db;
    }

}

-APPConfigurationApplication.java :

@SpringBootApplication  
@ComponentScan
@ImportResource("SpringBeans.xml")
public class APPConfigurationApplication extends SpringBootServletInitializer {

    protected SpringApplicationBuilder configure(SpringApplicationBuilder application) {
        return application.sources(APPConfigurationApplication.class);
    }

    public static void main(String[] args) {
        SpringApplication.run(APPConfigurationApplication.class, args);

    }

-MvcConfig.java:

@Configuration
public class MvcConfig  extends WebMvcConfigurerAdapter{
 @Override
public void configureDefaultServletHandling(
     DefaultServletHandlerConfigurer configurer) {
            configurer.enable();

}
}

-Here are the response Headers of the request:

Request URL:http://localhost:8080/App/Login

Request Method:GET

Status Code:200 

Remote Address:[::1]:8080

Referrer Policy:no-referrer-when-downgrade

Response Headers

view source

Cache-Control:no-cache, no-store, max-age=0, must-revalidate

Content-Language:fr-FR

Content-Length:4289

Content-Type:text/html;charset=UTF-8

Date:Tue, 09 May 2017 09:18:15 GMT

Expires:0

Pragma:no-cache

X-Content-Type-Options:nosniff

X-Frame-Options:DENY

X-XSS-Protection:1; mode=block

Request Headers

view source

Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Accept-Encoding:gzip, deflate, sdch, br

Accept-Language:fr-FR,fr;q=0.8,en-US;q=0.6,en;q=0.4

AlexaToolbar-ALX_NS_PH:AlexaToolbar/alx-4.0.1

Cache-Control:max-age=0

Connection:keep-alive

Cookie:JSESSIONID=6DDBA94C937FADFB889C8CFDDD9E47A3

Host:localhost:8080

Upgrade-Insecure-Requests:1

User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, 

like Gecko) Chrome/57.0.2987.133 Safari/537.36

but this error occurs only when the application is opened for the first time in the browser. Once I proceed to login and then come back to the login page again, the error does not occur.

Edit1:

-Web.xml :

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://xmlns.jcp.org/xml/ns/javaee" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd" version="3.1">
  <display-name>Audit_Configuration</display-name>
  <welcome-file-list>
    <welcome-file>index.html</welcome-file>
    <welcome-file>index.htm</welcome-file>
    <welcome-file>index.jsp</welcome-file>
    <welcome-file>default.html</welcome-file>
    <welcome-file>default.htm</welcome-file>
    <welcome-file>default.jsp</welcome-file>
  </welcome-file-list>

  <servlet>
  <servlet-name>DefaultServlet</servlet-name>
  <servlet-class>org.eclipse.jetty.servlet.DefaultServlet</servlet-class>
</servlet>

 <!-- DEFAULT -->
<servlet-mapping>
    <servlet-name>DefaultServlet</servlet-name>
    <url-pattern>/Template/css/*</url-pattern>
</servlet-mapping>

<servlet-mapping>
    <servlet-name>js</servlet-name>
    <url-pattern>/Template/js/*</url-pattern>
</servlet-mapping>

<servlet-mapping>
    <servlet-name>DefaultServlet</servlet-name>
    <url-pattern>/images/*</url-pattern>
</servlet-mapping>

<servlet-mapping>
    <servlet-name>DefaultServlet</servlet-name>
    <url-pattern>/pdf/*</url-pattern>
</servlet-mapping>

</web-app>

Here are my files in the "static"

here path files

How must I configure Spring Security that I can load css/js files from my /static resources directory?

Michael1
  • 253
  • 1
  • 6
  • 19
  • have a look at this http://stackoverflow.com/a/34282044/7081346 . – S Jayesh May 09 '17 at 09:26
  • Thanks for your reply @Jayesh, I tried to configure the **web.xml** file as in the link but still the same problem: the code JS does not work – Michael1 May 09 '17 at 09:36
  • do same for `js` instade of css ( use different servlet name for them) – S Jayesh May 09 '17 at 09:40
  • I have changed the name like this:      js servlet-name>      / Template / js / * url-pattern> Servlet-mapping>  **I have this problem:** Refused to execute script from 'http: // localhost: 8080 / App/Template / js / modernizr.min.js' because its MIME type ('text / html') is not executable, and strict MIME type checking is enabled. And other JS files – Michael1 May 09 '17 at 09:50
  • Is that there is a configuration in spring security ? , – Michael1 May 09 '17 at 09:54
  • 1
    Say you are using Apache Tomcat as web container then, in _web.xml_ add these lines `jsorg.apache.catalina.servlets.DefaultServletjs*.js` here it is for `.js` files you can do the same for `.css` / `.jpeg` / any other file extensions other than you specified on viewResolver (i.e. `.jsp`). – S Jayesh May 09 '17 at 11:27

1 Answers1

0

The solution is to add this code in the web.xml file:

<servlet>
  <servlet-name>js</servlet-name>
  <servlet-class>org.a‌​pache.catalina.servl‌​ets.DefaultServlet</‌​servlet-class>
</serv‌​let>
<servlet-mapping‌​>
  <servlet-name>js</s‌​ervlet-name>
  <url-pat‌​tern>*.js</url-patte‌​rn>
</servlet-mapping‌​>
Paul Roub
  • 36,322
  • 27
  • 84
  • 93
Michael1
  • 253
  • 1
  • 6
  • 19