Spring Security Not doing it's job

Question

Atm I have a problem where the login page basically doesn't do anything because if you insert the url of a page, you can skip the login.

I'm using this

 @Override
protected void configure(HttpSecurity http) throws Exception {
    http.authorizeRequests().antMatchers("/").hasAnyRole("Administrator" , "Member")
            //.anyRequest().authenticated()
            .and()
            .formLogin().permitAll()
                .loginPage("/login").permitAll()
                .defaultSuccessUrl("/dashboard")
                .failureUrl("/login?error")
                .successHandler(authenticationSuccessHandler)
            .and()
            .logout()
                .logoutUrl("/logout")
                .logoutSuccessUrl("/login")
                .logoutSuccessHandler(logoutSuccessHandler)
            .and()
            .csrf().disable();
}

Note that //.anyRequest().authenticated() is commented. This line seems to protect my website from accessing through the URL, it is redirecting to the login page.

But if I have it I can't see the css in my page and I get

Refused to apply style from 'http://localhost:8080/login' because its MIME type ('text/html') is not a supported stylesheet MIME type, and strict MIME checking is enabled.

How do I protect my website from knowing the URL but also see the CSS in the login page?

I've used all my flags for today, but this could help: https://stackoverflow.com/questions/25368535 — Impulse The Fox, Apr 26 '18 at 10:19
try to autorize login and css ressource `http.authorizeRequests().antMatchers("/css/**").permitAll() .antMatchers("/login").permitAll() .antMatchers("/").hasAnyRole("Administrator" , "Member") .anyRequest().authenticated() .and().formLogin().permitAll().loginPage("/login").permitAll() .defaultSuccessUrl("/dashboard") .failureUrl("/login?error") .successHandler(authenticationSuccessHandler) .and().logout() .logoutUrl("/logout").logoutSuccessUrl("/login").logoutSuccessHandler(logoutSuccessHandler).and().csrf().disable();` — Bourbia Brahim, Apr 26 '18 at 10:26

Oreste Viron · Answer 1 · 2018-04-26T10:17:11.077

1

Decomment the anyRequest.authenticated And then you must authorize the access to your static resources.

antMatcher("/css/**").permitAll()

Do the same for javascript and others static resources.

Full config :

   http.authorizeRequests().antMatchers("/").hasAnyRole("Administrator" , "Member")
    .anyRequest().authenticated()
    .and()
    .authorizeRequests()
        .antMatchers("/css/**").permitAll()
    .and()
    .formLogin().permitAll()
        .loginPage("/login").permitAll()
        .defaultSuccessUrl("/dashboard")
        .failureUrl("/login?error")
        .successHandler(authenticationSuccessHandler)
    .and()
    .logout()
        .logoutUrl("/logout")
        .logoutSuccessUrl("/login")
        .logoutSuccessHandler(logoutSuccessHandler)
    .and()
    .csrf().disable();

edited Apr 26 '18 at 10:17

answered Apr 26 '18 at 10:12

Oreste Viron

3,592
3
22
34

I updated my answer. I cannot test my code right now, but I'm 100% sure that these methods exists. – Oreste Viron Apr 26 '18 at 10:19
lol... `.antMatchers("/css/**").permitAll().anyRequest().permitAll()` seems to be working xD. **nvm... now I can skip the login through the url** – Apr 26 '18 at 10:26

score 0 · Answer 2 · answered Apr 26 '18 at 11:48

I usually configure the access for my resources overriding another configuration, in adition to the one you described:

@Override
public void configure(WebSecurity web) throws Exception {
    web.ignoring().antMatchers("/resources/**");
}

It seems more organized for me. You can add this in your Spring configuration class and change the 'resources' by you css. I usually pefer open the 'resources' and put my css inside (in a subdirectory) because it works for all kinds of resources, like images, css, and etc.

Spring Security Not doing it's job

2 Answers2