1

I am new to Spring Boot and trying to find out the way to whitelist an end-point. I have enabled the Spring Security.

I have a controller class with endpoint Hello, which should return "hello" in response and want anyone to be able to access this endpoint without authentication required.

@RestController
@RequestMapping(value = {"/employee"})

public class EmployeeController {

    @Autowired
    EmployeeRepository empRepose;

    @Autowired
    EmployeeService empService;

    @Autowired
    private Utility utility;

    @PreAuthorize("permitAll()")
    @GetMapping(value = "/hello", produces = MediaType.APPLICATION_JSON_VALUE)
    public String home() {
        return "Hello Employee!";
    }
}

Spring Security configuration:

@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
@EnableWebSecurity
public class ApplicationBasicAuth extends WebSecurityConfigurerAdapter {

    @Autowired
    RegisterUser beanRegisteruser;

    @Override
    protected void configure(HttpSecurity httpSecurity) throws Exception {
       /* httpSecurity.csrf().disable()
                .authorizeRequests().anyRequest().authenticated()
                .and().httpBasic();*/

              /*httpSecurity
                        .httpBasic()
                        .and()
                        .authorizeRequests()
                        .antMatchers(HttpMethod.GET, "/employee/**").permitAll()
                        .and()
                        .csrf().disable();*/

        httpSecurity.csrf().disable();

        httpSecurity.authorizeRequests().anyRequest().permitAll();

    }

I tried so many ways to whitelist all endpoints or even 1 endpoint for which I don't need to go for authentication.

Please, help me to find out what I am doing wrong here.

Nikolai Shevchenko
  • 7,083
  • 8
  • 33
  • 42
lalit bhadula
  • 47
  • 1
  • 9
  • Your code should work. You have to add the response code, error message and/or the log messages to your question. Did you enter the URL of your application into a browser or do you use any other client? – dur Dec 27 '19 at 16:58
  • Hi Nikolai, I tried on both Browser and client, browser redirecting me to login page and client giving me 401 error. – lalit bhadula Dec 30 '19 at 06:14

1 Answers1

2

You can achieve using configure(WebSecurity web) and/or configure(HttpSecurity http) If you are using both of them note that you have to keep configure(WebSecurity web) above configure(HttpSecurity http). You may see more details here

configure(WebSecurity web)

General use of WebSecurity ignoring() method omits Spring Security and none of Spring Security’s features will be available. 

@Override
public void configure(WebSecurity web) throws Exception {
    web
        .ignoring()
        .antMatchers("/hello")
}

configure(HttpSecurity http)

You can also use configure(HttpSecurity http) method with .permitAll() as below

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.csrf().disable()
        .authorizeRequests()
        .antMatchers("/hello").permitAll()
        .anyRequest().authenticated();
}
Romil Patel
  • 12,879
  • 7
  • 47
  • 76
  • hi Romil, I tried but didn't work... Do we need to mention ApplicationBasicAuth Class somewhere else also or need to put some configuration in the application.properties file related to it? – lalit bhadula Dec 27 '19 at 15:39
  • 1
    @lalitbhadula Have you tried both approaches?. Please share your updated code with a project structure. – Romil Patel Dec 27 '19 at 16:08
  • @lalitbhadula, Remove `@PreAuthorize("permitAll()")` from `/hello` and try again – Romil Patel Jan 16 '20 at 16:25