Spring Boot serving static content blocked by security

Question

I started Spring Boot + Angular application and for now I want to deploy whole thing as a jar. So I created maven config, where angular app gets built and then is copied to /target/classes/resources

But every request to root (localhost:8080) gets blocked by security. When I disable it i can see the page, which means the whole thing is deployed correctly, but somehow spring does not allow me to see it. Here is my simple security config, I want static resources to be unprotected, while any other request requires authentication:

@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                .requestMatchers(PathRequest.toStaticResources().atCommonLocations()).permitAll()
                .anyRequest().authenticated()
                .and().httpBasic();
    }
}

EDIT: A minimal example of my problem is here: https://gitlab.com/jnowacki/security-issue-demo

EDIT 2: I tries all the things from this post: Serving static web resources in Spring Boot & Spring Security application Do I do something wrong on a conceptual level? Is it wrong to serve static content along with Spring Boot app?

@dur i added a link to repo with minimal example. I need to serve index without any auth, and any other request after authentication. I know i can permit all and then secure just some path after e.g. /api but that is not the point. — KKeff, Dec 04 '18 at 21:55
Your question is not clear. If you want do permitAll the URL `/` then you have to add that URL to your configuration. — dur, Dec 08 '18 at 16:43
@dur when i configure it as follows: `http.authorizeRequests() .antMatchers("/").permitAll() .requestMatchers(PathRequest.toStaticResources().atCommonLocations()).permitAll() .anyRequest().authenticated() .and().httpBasic();` index.html is allowed, but request for css asks for credentials. — KKeff, Dec 10 '18 at 09:14

score 4 · Answer 1 · answered Dec 04 '18 at 14:23

4

Add this additional override:

@Override
public void configure(WebSecurity web) throws Exception {
    web.ignoring()
            .antMatchers(AUTH_WHITELIST);
}

where AUTH_WHITELIST will contain the paths to be ignored. For instance:

private static final String[] SWAGGER_AUTH_WHITELIST = {
        // -- swagger ui
        "/v2/api-docs",
        "/swagger-resources",
        "/swagger-resources/**",
        "/swagger-ui.html",
        "/resources/**"
};

answered Dec 04 '18 at 14:23

NiVeR

9,644
4
30
35

Can you be more specific? There is no mention of similar thing in the release notes of 2.1: https://github.com/spring-projects/spring-boot/wiki/Spring-Boot-2.1-Release-Notes – NiVeR Dec 04 '18 at 15:47
i added link to minimal example, i dont think its specific to 2.1, its just i have this version and it doesn't work there. – KKeff Dec 04 '18 at 21:57

score 1 · Answer 2 · answered Dec 04 '18 at 14:22

1

try below.

@Override
public void configure(WebSecurity web) throws Exception {
    web
    .ignoring()
    .antMatchers("/resources/**");
}

Refer spring-securitys-antmatcher

answered Dec 04 '18 at 14:22

Alien

15,141
6
37
57

score 0 · Answer 3 · answered Dec 04 '18 at 14:24

Use this method to allow static resources to be ignored by spring security

//this method allows static resources to be neglected by spring security
    @Override
    public void configure(WebSecurity web) throws Exception {
        web
            .ignoring()
            .antMatchers("/resources/**", "/static/**");
    }

score 0 · Answer 4 · answered Dec 06 '18 at 01:21

According to StaticResourceLocation docs:

.requestMatchers(PathRequest.toStaticResources().atCommonLocations()).permitAll()

will permit access to CSS, JS, ICO, images and NOT to html.

To permit index.html you can use following configuration:

 http.authorizeRequests()
                .antMatchers("/index.html", "/").permitAll()
                .anyRequest().authenticated()
                .and().httpBasic();

score 0 · Answer 5 · edited Feb 24 '20 at 07:17

// extends WebSecrityConfiguratesAdapeter

@Configuration
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Overide
    public void configure(WebSecurity web) throws Exception { 
         web.ignoring()
            .antMatchers(HttpMethod.OPTIONS, ALL_ESCAPE)
            .antMatchers("*.js")
            .antMatchers(")
            .antMatchers(BOWER_COMPONENTS)
            .antMatchers(I18N)
            .antMatchers(CONTENT);           
      }
}

score 0 · Answer 6 · answered Aug 19 '20 at 10:21

0

you must match real path, or example:

.pathMatchers("/assets/**", "/static/**")
            .permitAll()ere

answered Aug 19 '20 at 10:21

Igor Roman

221
3
7

Spring Boot serving static content blocked by security

6 Answers6

Linked

Related