How to exclude Angular component when using PCF SSO service with EnableOAuth2Sso annotation?

Question

I am using Angular and Spring Boot to build a Single Page app with Rest API. Here is my SpringBoot application :

@SpringBootApplication
@Controller

public class AptSsoAppApplication {

public static void main(String[] args) {
        if ("true".equals(System.getenv("SKIP_SSL_VALIDATION"))) {
            SSLValidationDisabler.disableSSLValidation();
        }
        SpringApplication.run(AptSsoAppApplication.class, args);
    }
@EnableOAuth2Sso
    @Configuration
    protected static class SecurityConfiguration extends WebSecurityConfigurerAdapter {
      @Override
      protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
            .antMatchers("/health").permitAll()
            .anyRequest().authenticated().and()
          .csrf()
            .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
      }
    }

Angular project contains component. One of the component was designed for healthcheck. SpringBoot should ignore SSO for health component.

I followed this example : https://spring.io/guides/tutorials/spring-security-and-angular-js/

For all the Angular routes, SSO authentication page is displaying. Can someone please let me know what is wrong with my code?

Answer 1

The problem is that your static resources (angular code) are protected. You have to allow access to your angular app first. Essentially index.html needs to render to the browser - which loads underlying angular dependencies.

Once that is done, you can have parts of the app that are secured and parts that are not secured (to do health check, allow the user to login, etc).

The actual implementation will be based on how you set up your app within spring.

More info: Serving static web resources in Spring Boot & Spring Security application