0

How i can enable Spring security for some routes. For examle: i have web site with content by different routes which started from '/**'. In this routes i need disable spring security. But i have another web module /admin-panel/** where i must enable spring security.

So, my security config 

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
                .antMatchers("/*").permitAll()
                .antMatchers("/admin-panel").permitAll()
                .anyRequest().authenticated()
                .and()
            .formLogin()
                .loginPage("/login")
                .permitAll()
                .and()
            .logout()
                .permitAll();
    }
Nis
  • 560
  • 5
  • 18
Yevhenii
  • 301
  • 1
  • 5
  • 14
  • with `permitAll()` you are disabling the authentication, `.antMatchers("/admin-panel").hasRole('ADMIN')` should work, it will check if the user has ADMIN role or not. – RP- Mar 07 '18 at 06:49

1 Answers1

2

Try this:

http.
    .anonymous()
    .and()
    .authorizeRequests()
    .antMatchers("/admin-panel/**").authenticated()
    .anyRequest().permitAll()

Anonymous access will add additional filter: AnonymousAuthenticationFilter to the filter chain that populate AnonymousAuthenticationToken as Authentication information in case no Authentication object in SecurityContext.

Referred to, Spring Security get user info in rest service, for authenticated and not authenticated users

Vijay Nandwana
  • 2,476
  • 4
  • 25
  • 42