2

I am working with Spring Security and when I am trying to use external javascript or even webjars, security blocks access.

I've tried adding some javascript to my webpage like this: header.html

<script src="https://cdnjs.cloudflare.com/ajax/libs/sockjs-client/1.4.0/sockjs.min.js"></script>
<script src="/webjars/stomp-websocket/stomp.min.js"></script>

My Security Config looks like this (notice the "/webjars/", "/*.js", "/.js").permitAll()):

AppConfig.java

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class AppConfig extends WebSecurityConfigurerAdapter {

@Bean
public LogoutSuccessHandler logoutSuccessHandler() {
    return new LogoutController();
}

@Bean
public AuthenticationController authenticationController() throws UnsupportedEncodingException {
    JwkProvider jwkProvider = new JwkProviderBuilder(domain).build();
    return AuthenticationController.newBuilder(domain, clientId, clientSecret)
            .withJwkProvider(jwkProvider)
            .build();
}

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.csrf().disable();
    http
        .authorizeRequests()
        .antMatchers("/callback", "/login", "/", "/*.png", "/css/**", "/js/**", "/bibliographies", "/bibliographies/*", "/api/**", "/webjars/**", "/*.js", "/**.js").permitAll()
        .anyRequest().authenticated()
        .and()
        .logout().logoutSuccessHandler(logoutSuccessHandler()).permitAll();
}

On loading the webpage from which I want to access the javascript I get the following Exception:

2020-01-18 16:38:39.941 DEBUG 7824 --- [nio-3000-exec-4] o.s.s.w.a.ExceptionTranslationFilter : Access is denied (user is anonymous); redirecting to authentication entry point

org.springframework.security.access.AccessDeniedException: Access is denied at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:84) ~[spring-security-core-4.2.12.RELEASE.jar:4.2.12.RELEASE] at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:233) ~[spring-security-core-4.2.12.RELEASE.jar:4.2.12.RELEASE] at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:124) ~[spring-security-web-4.2.12.RELEASE.jar:4.2.12.RELEASE] at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:91) ~[spring-security-web-4.2.12.RELEASE.jar:4.2.12.RELEASE] at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) [spring-security-web-4.2.12.RELEASE.jar:4.2.12.RELEASE] at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:114) ~[spring-security-web-4.2.12.RELEASE.jar:4.2.12.RELEASE] at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) [spring-security-web-4.2.12.RELEASE.jar:4.2.12.RELEASE] at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:137) [spring-security-web-4.2.12.RELEASE.jar:4.2.12.RELEASE] at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) [spring-security-web-4.2.12.RELEASE.jar:4.2.12.RELEASE]

Other matchers I've declared such as "/api/**" are available without logging in, however my own security is blocking me from accessing .js files, even though my matchers seem ok.

How can I fix this issue ?

Jan Chabik
  • 99
  • 1
  • 9

1 Answers1

1

Add:

<security:intercept-url pattern="/resources/**" access="permitAll" />

in your context file. Here, resources is the directory where all JS files are located.

You can refer to this link: Spring security does not allow CSS or JS resources to be loaded

Himanshu Jain
  • 334
  • 2
  • 12