Spring Security add filter to all Endpoint EXCEPT one

Question

I researched this and found this Answer on SO.

I do however have the complementary question to this one:

I have a set of filters, that i want to be applied to ALL requests, EXCEPT special cases (eg.: all paths except /mgmt/** and /error/**).

This cannot be done using the same method presented in the linked answer, as I would add the filters to the default http-security Object, which would then apply for the special cases too.

is there a thing like "negative matchers", allowing me to do something like:

http.negativeAntMatchers("/mgmt/**).addFilter(...)

to add a filter for everything except /mgmt/** ?

my code:

This is the config for "/mgmt", placing the ManagementBasicAuthFilter in the chain - this works, as no endpoints except "/mgmt/**" ask for basic auth.

@Order(1)
@Configuration
@RequiredArgsConstructor
public static class ManagementSecurityConfig extends WebSecurityConfigurerAdapter {

    private final AuthenticationManager authenticationManager;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
            http.antMatcher("mgmt/**")
                .csrf().disable()
                .headers().frameOptions().sameOrigin()
                .cacheControl().disable()
                .and()
                    .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and()
                    .addFilterBefore(new ManagementBasicAuthenticationFilter(authenticationManager,
                        getAuthenticationEntryPoint(), "/mgmt"), BasicAuthenticationFilter.class)
                    .authorizeRequests()
                    .anyRequest()
                    .permitAll();
    }

    private BasicAuthenticationEntryPoint getAuthenticationEntryPoint() {
        BasicAuthenticationEntryPoint entryPoint = new BasicAuthenticationEntryPoint();
        entryPoint.setRealmName("myApp");
        return entryPoint;
    }
}

This is the config for all entrypoints, EXCEPT mgmt - all filters in this file should NOT apply to /mgmt/**

@Order(2)
@Configuration
@RequiredArgsConstructor
@Import({ ResourceServerTokenServicesConfiguration.class })
@EnableOAuth2Client
public static class OAuthSecurityConfig extends WebSecurityConfigurerAdapter {

    private final OAuth2ClientContextFilter clientContextFilter;
    private final OAuth2ClientAuthenticationProcessingFilter ssoFilter;
    private final StatePropagatingLoginRedirectFilter statePropagatingLoginRedirectFilter;


    @Override
    public void configure(WebSecurity web) {
      web.ignoring().antMatchers("/mgmt/**");
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .csrf().disable()
                .headers().frameOptions().sameOrigin()
                .cacheControl().disable()
                .and()
                    .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and()
                    .exceptionHandling()
                        .defaultAuthenticationEntryPointFor(
                            new LoginUrlAuthenticationEntryPoint("/login"),
                            request -> true)
                .and()
                .addFilterAfter(statePropagatingLoginRedirectFilter, AbstractPreAuthenticatedProcessingFilter.class)
                .addFilterAfter(ssoFilter, statePropagatingLoginRedirectFilter.getClass())
                .addFilterAfter(clientContextFilter, ssoFilter.getClass())
                .authorizeRequests()
                .anyRequest()
                .authenticated();
    }
}

When i Request eg.: "/mgmt/health", i get prompted for basic auth, but after login, the filters in the (statePropagating, sso, clientContext) still get applied - why is this?

score 5 · Answer 1 · answered Aug 27 '18 at 12:41

5

If I understand your question right, you don't want a filter to be applied to /mgmt then you could use

    @Configuration
    @EnableWebSecurity
    public class SecurityConfig extends WebSecurityConfigurerAdapter {

       @Override
       public void configure(WebSecurity web) {
          // Overridden to exclude some url's 
          web.ignoring().antMatchers("/mgmt");
       }


       @Override
       protected void configure(HttpSecurity http) throws Exception {
        // configure the other url's as required
       }

    }

answered Aug 27 '18 at 12:41

Nicholas K

15,148
7
31
57

thank you, I will try this - i only used the HttpSecurity-config up until now – billdoor Aug 27 '18 at 12:58
ok i was logged in without realizing when it worked, so i accepted the answer when in reality the problem was not solved, i will add details to the question – billdoor Aug 28 '18 at 06:29
it is the exact same question, i just added code as your answer did not solve the Problem and i thought , most likley more info is neccessary – billdoor Aug 28 '18 at 06:57
i figured it out, by searching for cases where your answer does not do the trick - so i want to give credit where it is due and not just accept my own answer as if i figured it out on my own – billdoor Aug 28 '18 at 07:14

score 2 · Accepted Answer · answered Aug 28 '18 at 07:10

thanks to kimhom and his answer in combination with Nicholas and e.g.78 i figured it out - web.ignoring does not work, for reasons i want to investigate later - what i forgot about is, that spring will automatically add all filters present as Beans to all filter chains. to prevent this, one can either

not register filters as beans and instantiate them manually where they are needed

add a FilterRegistrationBean for the filters in question and disable registration for them like this:

@Bean
public FilterRegistrationBean disableMyFilterBean(MyFilterBean filter) {
    FilterRegistrationBean registration = new FilterRegistrationBean(filter);
    registration.setEnabled(false);
    return registration;
}

Then my filters are only applied where i want them to - i do not even need to provide WebSecurity.ignoring matchers

score 1 · Answer 3 · answered Aug 27 '18 at 12:43

1

You can configure spring security to ignore some url patterns using web.ignoring In your case

web.ignoring().antMatchers("/mgmt/**");

answered Aug 27 '18 at 12:43

e.g78

667
4
8

1

web is the WebSecurity config item. Anyway, Nicholas K wrote a better answer. – e.g78 Aug 28 '18 at 13:02

score 0 · Answer 4 · answered Aug 27 '18 at 12:41

You'll need to permit all requests in "/mgmt/**" and make other requests authenticated, try something like that.

    http    
        .authorizeRequests()
                .antMatchers("**").hasAnyAuthority("ANY_AUTHORITY")
                .antMatchers("/mgmt/**").permitAll()
                .anyRequest().authenticated()

Spring Security add filter to all Endpoint EXCEPT one

4 Answers4

Linked