0

I've been struggling for a few days over this. Aside from quirky things that seem to be happening inconsistently and unpredictably by simply commenting out a bit of code, running the program, and then uncommenting and running again, I'm failing to understand how overriding various configure methods are working.

I want WebSecurity to always ignore "/static/**".

Upon launching the application and navigating to the homepage, I can access all of the pages for which I have permitted all, but all of the content in "/static/**" is being ignored until after I have navigated to the login page and logged in as an authenticated user. So the application just appears as white pages with text, without any of the styling at all until logged in.

Here is the code for my AppSecurityConfig class. I have omitted the helper methods for handling success and failure of logging in, and I also have to different account types that serve different roles, so I have only included one account here for simplification. The part where I believe the problem exists is in the configure(WebSecurity web) method where I am calling the .ignoring() method and passing the "/static/**" arg. Thank you in advance:

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Autowired
    private CompanyService companyService;

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(companyService);
    }

    @Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring().antMatchers("/static/**");
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
                .antMatchers("/",
                        "/account_registration",
                        "/candidate_registration",
                        "/addCandidate",
                        "/company_registration",
                        "/addCompany",
                        "/select_account_type",
                        "/candidate_login",
                        "/company_login").permitAll()
                .antMatchers("/company_profile").hasRole("COMPANY")
                .anyRequest().authenticated()
                .and()
            .formLogin()
                .loginPage("/company_login")
                .permitAll()
                .successHandler(companyLoginSuccessHandler())
                .failureHandler(companyLoginFailureHandler())
                .and()
            .logout()
                .logoutSuccessUrl("/");

    }
}
CBruenger
  • 57
  • 2
  • 8
  • 2
    Open the dev tools in your browser and inspect the path for the resources which are having their access denied. They may be different to /static/**. – Sam Mar 05 '18 at 08:27
  • 1
    Can you show your folder structure as well? Where is "static" folder located? – Bunyamin Coskuner Mar 05 '18 at 08:29
  • https://stackoverflow.com/questions/39152803/spring-websecurity-ignoring-doesnt-ignore-custom-filter – Umesh Kumar Sharma Mar 05 '18 at 08:33
  • remove anyRequest().authenticated() if you want users without authentication access to /statics/** urls. I think it's override ignore. – M2E67 Mar 05 '18 at 08:47
  • Possible duplicate of [Serving static web resources in Spring Boot & Spring Security application](https://stackoverflow.com/questions/24916894/serving-static-web-resources-in-spring-boot-spring-security-application) – dur Mar 05 '18 at 14:20

1 Answers1

2

The path to my static folder is "src/main/resources/static", but I did what Sam said and opened the developer tools and realized that all of the contents within the "static" directory were being referenced directly. For example, there are directories referenced in this way: "/vendor/..." and "/images/...", that were being referenced but ignored due to security. There are also some files in the "static" directory like "app.css", "app.js" and "favicon.png" that are having some strange behavior. It appears that they are not being ignored but different colors and styling are being displayed unless I also add them as arguments to the .gitIgnoring() method like "/app.css" etc. This project was built by working through a TeamTreehouse tutorial and then refactoring and adding custom styling between a few people on my 6 person team, and I'm pretty sure there are multiple things under the hood inherited in this project that myself and the front end people are not understanding when it comes to the styling.

The fix that seems to work, although maybe not ideal, was removing "/static/**" from the .ignoring() method and replacing it with all of the contents that were actually inside the "static/" directory:

@Override
public void configure(WebSecurity web) throws Exception {
    web.ignoring().antMatchers( "/images/**",
        "/vendor/**",
        "/app.css",
        "/app.js",
        "/favicon.png");
}
CBruenger
  • 57
  • 2
  • 8