How to disable Spring Boot Authentication control for a particular Rest Controller

Question

I made a CRUD app using Angular on client side and Spring Boot on the backend. I implemented then authentication with Okta and everything works fine. The problem is that I want to retrieve some data from database for my homepage, and show those info even if no user is authenticated, but I keep receiving a 401 Unauthorized http response.

I read some other question here in stackoverflow and these are all the configuration that I tried in my Spring server:

public class SecurityConfig extends WebSecurityConfigurerAdapter{

1)

@Override
protected void configure(HttpSecurity http) throws Exception {

    http.authorizeRequests().anyRequest().authenticated().and().oauth2Client().and().oauth2Login()
            .and().csrf().ignoringAntMatchers("/stats/**");
    http.cors();
}

2)

@Override
protected void configure(HttpSecurity http) throws Exception {

    http.authorizeRequests().antMatchers("/stats/**").permitAll().anyRequest().authenticated().and().oauth2Client().and().oauth2Login();
    http.cors();
}

They don't work. This is the @RestController that I'm trying to contact for my GET methods:

@RestController
@RequestMapping("/stats")
@CrossOrigin("http://localhost:4200")
public class StatsController {

@Autowired
private CompanyManagerService companyManagerService;
@Autowired
private ReservationService reservationService;
@Autowired
private ReviewService reviewService;
@Autowired
private UserService userService;


@GetMapping("/company")
public ResponseEntity getCompanyCount(){

    return new ResponseEntity(companyManagerService.getCompanyCount(), HttpStatus.OK);
}

@GetMapping("/field")
public ResponseEntity getFieldCount(){

    return new ResponseEntity(companyManagerService.getFieldCount(), HttpStatus.OK);
}

@GetMapping("/reservation")
public ResponseEntity getReservationCount(){

    return new ResponseEntity(reservationService.getCount(), HttpStatus.OK);
}

@GetMapping("/review")
public ResponseEntity getReviewCount(){

    return new ResponseEntity(reviewService.getCount(), HttpStatus.OK);
}

How can I solve this situation?

Yes. All the methods in StatsController provide info and statistics that I show on my homepage, and must be shown before user login — Fabrizio Gabriele, Jun 15 '20 at 20:40

score 1 · Accepted Answer · answered Jun 16 '20 at 04:03

Make sure your security configuration class SecurityConfig is annotated with @EnableWebSecurity and @EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
The security configuration class is in follows the package structure and scanned by Spring. spring-component-scanning
The application does not have a context path if you are using a context path then you may use **/stats/** or /context-path/stats/**

You may use configure(WebSecurity web) that will bypass the security filter chain and you will be able to access the GET APIs

    @Override
    public void configure(WebSecurity web) throws Exception {
        web
            .ignoring()
            .antMatchers("**/stats/**");
    }

If you are using both configure(WebSecurity web) and configure(HttpSecurity http) methods, make sure you have placed configure(WebSecurity web) above the configure(HttpSecurity http) as described here

@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

     // Other Configurations...

     @Override
     public void configure(WebSecurity web) throws Exception {
         web
            .ignoring()
            .antMatchers("**/stats/**");
     }

    @Override
    public void configure(HttpSecurity http) throws Exception {

        http
            .csrf().disable().cors().disable()
            .authorizeRequests()
            .antMatchers("**/stats/**").permitAll()
            .anyRequest().authenticated()
            .and()
            .oauth2Client()
            .and()
            .oauth2Login();
      }

     // Other Configurations...

}

I added annotations, the new configure method that receives a WebSecurity instance and added .csrf().disable() into the http method chain. I can't neither add cors().disable nor remove http.cors() at the end of the configure(http) method, otherwise I get XmlHttpRequest Error ( No Access-Control-Allow-Origin header). Anyway, it still doesn't work — Fabrizio Gabriele, Jun 16 '20 at 09:15
Seems I solved. I kept http.cors() at the end, I removed .cors().disable() in the HttpSecurity method chain and I changed path from ** /stats/ ** to /stats/**. Now it works — Fabrizio Gabriele, Jun 16 '20 at 09:21

score 0 · Answer 2 · answered Jun 15 '20 at 18:57

0

Update the configure method to this and try

  @Override
  protected void configure(HttpSecurity http) throws Exception {
    http.authorizeRequests()
        .antMatchers("/stats/**")
        .permitAll()
        .anyRequest()
        .authenticated()
        .and()
        .oauth2Client()
        .and()
        .oauth2Login();
  }

answered Jun 15 '20 at 18:57

Suraj

737
6
21

1

What's the difference with the code I already have? I see it's the same, just written vertically. – Fabrizio Gabriele Jun 15 '20 at 20:42

How to disable Spring Boot Authentication control for a particular Rest Controller

2 Answers2