9

I have a Spring boot application with Spring security.

My problem is similar to this one, but in my case I want to redirect the user to the login page if he's not authenticated when he tries to access any page of the application.

The following image shows the architecture of the application:

Architecture of the app

My config class looks like this:

@EnableWebSecurity
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    public void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                .antMatchers("/**").hasAnyRole("USER")
                .and().formLogin().loginPage("/login").permitAll()
                .and().authorizeRequests().antMatchers("/resources/**").permitAll().anyRequest().permitAll();
    }

    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication().withUser("user").password("password").roles("USER");
    }

}

With this configuration, no resource will be loaded. How can I configure my project to redirect the user to the login page if he's not authenticated and at the same time having my resources folder loaded?

Jordan Noel
  • 220
  • 2
  • 4
  • 14

4 Answers4

5

plz checkout configure method

@Override
  public void configure(HttpSecurity http) throws Exception {
    http
        .authorizeRequests()
        .antMatchers("/resources/**").permitAll()
        .antMatchers("/login*").permitAll()
        .anyRequest().authenticated()
        .and().formLogin().loginPage("/login");
  }

and implements WebMvcConfigurer Class like below 

@Configuration
@EnableWebMvc
public class WebMvcConfiguration implements WebMvcConfigurer {

  @Override
  public void addResourceHandlers(final ResourceHandlerRegistry registry) {
    registry.addResourceHandler("/static/**")
        .addResourceLocations("classpath:/static/");
  }
}

addResourceHandlers means find resources in /static.

RyanKim
  • 119
  • 4
  • The line `http.authorizeRequests().antMatchers("/resources/**").permitAll();` only allows me to access the page at localhost:8080/resources/ without being redirected to the login page. – Jordan Noel Oct 03 '18 at 12:45
1

Spring security is not allowing your css when a "GET" request to it is made allow it by changing the following line to the next line

this line = .antMatchers("/*.js").permitAll()

this line = .antMatchers("/*.js", "/*.css").permitAll()

Ahren Swett
  • 11
  • 1
0

Update your method by using authenticated() like below. 

@Override
        protected void configure(HttpSecurity http) throws Exception {
            http
              .authorizeRequests()
              .antMatchers("/login*").
              .antMatchers("/resources/**").permitAll()
              .antMatchers("/*.js").permitAll()
              .permitAll()
              .anyRequest()
              .authenticated()
              .and()
              .formLogin();
        }

Refer this article

Alien
  • 15,141
  • 6
  • 37
  • 57
  • This allows me, indeed to redirect my user to the login page, but it still doesn't load the css files in the `ressources` folder... – Jordan Noel Oct 02 '18 at 14:28
  • updated the answer..pls check once added .antMatchers("/resources/**").permitAll() .antMatchers("/*.js").permitAll() – Alien Oct 02 '18 at 14:37
0

I had this problem in my login page before authentication, I found it and resolved my problem by overrode this method in SecurityConfig

  @Override
  public void configure(WebSecurity web) {
     web.ignoring().antMatchers("/resources/**");
  }

afterward login page knew .js and .css

M.Minbashi
  • 244
  • 1
  • 3
  • 12