0

I am making an authentication project using spring boot. I have used spring starter security but the problem I am facing is I want to permit some pages to be accessible by all. But spring is asking for authentication in using those web pages also.

I have tried this code:

@Override
    protected void configure(HttpSecurity http) throws Exception {
        http
        .csrf().disable()
            .authorizeRequests().antMatchers("/","/signUp").permitAll().anyRequest().authenticated()
            .and()
            .httpBasic();
       }

i have used following code as well but that also not working in the expected way as i described and asking for authentication

@Override
    protected void configure(HttpSecurity http) throws Exception {
        http
        .csrf().disable()
            .authorizeRequests().antMatchers("/").permitAll()
            .and()
            .httpBasic();
     }

it is expected to allow access to these pages without authentication but it is asking for authentication.

Romil Patel
  • 12,879
  • 7
  • 47
  • 76
Basau Lohan
  • 9
  • 2
  • What URL do you call? Show also your full Spring Security configuration. Did you annotate your class in the right way? – dur Sep 09 '19 at 13:52
  • ` @Configuration @EnableWebSecurity public class AppSecurityConfig extends WebSecurityConfigurerAdapter{ @Autowired private UserDetailsService userDetailsService; @Bean public AuthenticationProvider authProvider() { DaoAuthenticationProvider provider=new DaoAuthenticationProvider(); provider.setUserDetailsService(userDetailsService); provider.setPasswordEncoder(new BCryptPasswordEncoder()); return provider; } [above method here which i have posted] } ` – Basau Lohan Sep 09 '19 at 14:03
  • can you share the request you are making – Romil Patel Sep 09 '19 at 16:05

1 Answers1

0

Try .antMatchers(HttpMethod.Method,"/endpoint") and /** with configure(HttpSecurity http)

    @Override
    protected void configure(HttpSecurity http) throws Exception{

         http
         .csrf().disable()
         .authorizeRequests()
         .antMatchers("/**","/signUp").permitAll()
         .antMatchers(HttpMethod.POST,"/endpointPOST").permitAll()
         .antMatchers(HttpMethod.GET,"/endpointGET").permitAll()
         .anyRequest().authenticated();

    }

If you want to bypass the Security Filter Chain for some endpoints then use configure(WebSecurity web).

    @Override
    public void configure(WebSecurity web) throws Exception {
        web
          .ignoring()
            .antMatchers("/signUp", "**/endpoint/**");
    }

HttpSecurity vs WebSecurity

Romil Patel
  • 12,879
  • 7
  • 47
  • 76