How to add headers to requests ignored by Spring Security

Question

My configuration of Spring Security is

@Override
  public void configure(WebSecurity web) throws Exception {
    web
      .ignoring()
         .antMatchers("/resources/**"); // #3
  }

Taken from here. The documentation for ignorig says

Allows adding RequestMatcher instances that should that Spring Security should ignore. ... Typically the requests that are registered should be that of only static resources.

I would like to add some headers to files served from resources. E.g.: Strict-Transport-Security: max-age=31536000, X-Content-Type-Options: nosniff.

How I can do it?

Did you find a solution to your problem? I'm having the same issue and would like to leverage Spring Security rather than crafting a homemade servlet filter. — Charles Morin, Mar 20 '18 at 19:14
I did, but my solution got downvote without explanation. So I deleted it. Looking forward for you approach. — user482745, Mar 21 '18 at 15:46
Would you mind sharing it again please? Were you leveraging Spring Security or you ended up creating a servlet filter? — Charles Morin, Mar 21 '18 at 18:29

user482745 · Answer 1 · 2018-09-12T14:00:37.613

0

One solution it to change it to

protected void configure(HttpSecurity http) throws Exception {
    http.authorizeRequests().antMatchers("/resources/**").permitAll()
       .and()
       .antMatcher("/resources/**").headers().cacheControl()
}

Example how to allow cache control headers PLUS ALL DEFAULT SPRING SECURITY HEADERS.

edited Sep 12 '18 at 14:00

answered Jun 21 '17 at 10:08

user482745

1,165
1
11
31

Is there other way? Filters? – user482745 Jun 21 '17 at 10:08
There is no ".authorizeRequests()" Method in my WebSecurity class. I'm using Spring 1.2. – Kalaschni Sep 12 '18 at 13:03
Thanks for the edit. This does not "solve" my problem, because the "WebSecurity.ignored()" disables the whole "try to authenticate" thing. And you solution does not. I have posted how I have done it. ;) – Kalaschni Sep 13 '18 at 07:21
Can you explain what was meant by "WebSecurity.ignored()"? – user482745 Sep 14 '18 at 10:49
The `WebSecurity.ignored()` was meant to be the `web.ignoring()` of you original answer, sorry for the typo.This statement does, as far as I know, disable the whole `HttpSecurity` configuration, but I have found out a trick to run a filter anyway. Like I described it in my answer. – Kalaschni Sep 17 '18 at 06:20

score 0 · Answer 2 · answered Sep 13 '18 at 06:51

I have struggled with the same problem. When I ignore specific requests in WebSecurity, the headers were gone.

I fixed the missing headers, by applying a filter on each request that adds my headers.

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
        .addFilterBefore(securityHeaderFilter, BasicAuthenticationFilter.class)
        ...
}

The filter code looks like this. The important thing to note here, is that the Filter must be declared as a @Component. When you miss the @Component annotation, the filter will be ignored.

@Component
public class SecurityHeaderFilter implements Filter {

    @Override
    public void init(FilterConfig fc) throws ServletException {
        // Do nothing
    }

    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        HttpServletResponse httpServletResponse = (HttpServletResponse) response;
        httpServletResponse.setHeader(
                "custom-header1", "header-value1");
        httpServletResponse.setHeader(
                "custom-header2", "header-value2");
        chain.doFilter(request, response);
    }

    @Override
    public void destroy() {
        // Do nothing
    }
}

score 0 · Answer 3 · answered Aug 05 '21 at 05:45

I have used the following solution:

@Bean
    public FilterRegistrationBean setHeaders() {
        HstsHeaderWriter hstsHeaderWriter = new HstsHeaderWriter(31536000, true);
        XContentTypeOptionsHeaderWriter xContentTypeOptionsHeaderWriter = new XContentTypeOptionsHeaderWriter();
        List<HeaderWriter> headerWriters = new ArrayList<>();
        headerWriters.add(hstsHeaderWriter);
        headerWriters.add(xContentTypeOptionsHeaderWriter);
        HeaderWriterFilter headerWriterFilter = new HeaderWriterFilter(headerWriters);
        FilterRegistrationBean bean = new FilterRegistrationBean(headerWriterFilter);
        bean.setOrder(1);
        return bean;
    }

The above bean will add a filter globally on all the resources(even the ignoring ones). You can checkout the various implementations of org.springframework.security.web.header.HeaderWriter.java for the different kinds of security headers and add them all to HeaderWriterFilter.java.

How to add headers to requests ignored by Spring Security

3 Answers3