Spring boot: How to skip basic-auth for particular endpoint

Question

I tried many ways but When I hit /healthCheck URL it prompts to enter username and password. I have below code in EmailsecurityAdapter.java class

import com.cellpointmobile.email.services.AuthenticationService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;

@Configuration
@EnableWebSecurity
public class EmailSecurityAdapter extends WebSecurityConfigurerAdapter {

    @Autowired
    AuthenticationService userDetailsService;

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(userDetailsService);
        auth.authenticationProvider(authenticationProvider());
    }


@Override
public void configure(WebSecurity web) throws Exception {
    web
            .ignoring()
            .antMatchers("/healthCheck**");
}


@Override
protected void configure(HttpSecurity http) throws Exception {
    http
            .csrf().disable()
            .authorizeRequests()
            .antMatchers(HttpMethod.GET, "**/heathCheck/*").permitAll()
            .anyRequest()
            .access("isFullyAuthenticated() and hasAnyRole('ROLE_ADMIN','ROLE_USER')")
            .and()
            .httpBasic();
}

    @Bean
    public PasswordEncoder passwordEncoder() {
        //https://www.browserling.com/tools/bcrypt
        return new BCryptPasswordEncoder();
    }

    @Bean
    public DaoAuthenticationProvider authenticationProvider() {
        DaoAuthenticationProvider authenticationProvider = new DaoAuthenticationProvider();
        authenticationProvider.setUserDetailsService(userDetailsService);
        authenticationProvider.setPasswordEncoder(passwordEncoder());
        return authenticationProvider;
    }
}

what should I change in configure() method to publicaly access healthCheck url?

Postman response GET http://127.0.0.1:8080/heathCheck

<Map>
    <timestamp>2019-09-13</timestamp>
    <status>401</status>
    <error>Unauthorized</error>
    <message>Unauthorized</message>
    <path>/heathCheck</path>
</Map>

Romil Patel · Accepted Answer · 2019-09-13T17:42:40.193

1

Use

@Override
protected void configure(HttpSecurity http) throws Exception {
        http
        .csrf().disable()
        .authorizeRequests()
        .antMatchers(HttpMethod.GET, "**/heathCheck/**").permitAll()
        .anyRequest()
        .access("isFullyAuthenticated() and hasAnyRole('ROLE_ADMIN','ROLE_USER')")
        .and()
        .httpBasic();
}

OR use web.ignoring() in configure(WebSecurity web) which will ingore all security filters for endpoints specififed with it. After that you can remove it from configure(HttpSecurity http) and keep configure(WebSecurity web) above configure(HttpSecurity http).

HttpSecurity vs WebSecurity

 @Override
    public void configure(WebSecurity web) throws Exception {
        web
          .ignoring()
            .antMatchers(HttpMethod.yourMethod, "**/heathCheck/**");
    }

UPDATE:

@Override
        public void configure(WebSecurity web) throws Exception {
            web
              .ignoring()
                .antMatchers(HttpMethod.yourMethod, "**/heathCheck/**");
        }

@Override
protected void configure(HttpSecurity http) throws Exception {
            http
            .csrf().disable()
            .authorizeRequests()
            .antMatchers(HttpMethod.GET, "**/heathCheck/*").permitAll()
            .anyRequest()
            .access("isFullyAuthenticated() and hasAnyRole('ROLE_ADMIN','ROLE_USER')");
}

edited Sep 13 '19 at 17:42

answered Sep 13 '19 at 16:48

Romil Patel

12,879
7
47
76

It's not working, I am getting popup to enter username password when I access http://127.0.0.1:8080/healthCheck – Praveen D Sep 13 '19 at 17:06
Hi @PraveenD, have you tried with `configure(WebSecurity web)` – Romil Patel Sep 13 '19 at 17:08
@PraveenD can you update with your current configuration and are you geeting spring security default login page or what kind of popup – Romil Patel Sep 13 '19 at 17:09
@PraveenD From updated code I can see `WebSecurity` has been kept below `HttpSecurity`. keep WebSecurity first and then HttpSecuriy as in updated answer – Romil Patel Sep 13 '19 at 17:20
Hi @PraveenD, I have noticed that you have `healthcheck` and making a request at `heathCheck` two diff endpoints – Romil Patel Sep 13 '19 at 17:24
I moved above even getting same error. I didn't understand: making a request at heathCheck two diff endpoints – Praveen D Sep 13 '19 at 17:28
Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/199442/discussion-between-patel-romil-and-praveen-d). – Romil Patel Sep 13 '19 at 17:29

Spring boot: How to skip basic-auth for particular endpoint

1 Answers1