I am trying to create a single Spring Boot application (latest version) that can serve:
- static HTML, CSS, JavaScript and image (favicon, jpg, png etc) files
- HTML content based on Thymeleaf template files
- REST endpoints
All of the above should be able to serve:
- without authentication (public access)
- with authentication (restricted access)
Meaning that the following mappings should apply:
| URL request | Served from (resource folder or a controller) | Public | Notes |
|---|---|---|---|
| /ui/media/* | ../resources/web/ui/media/* | Yes | |
| /ui/style/* | ../resources/web/ui/style/* | Yes | |
| /ui/scrippt/* | ../resources/web/ui/scrippt/* | Yes | |
| /ui/login | ../resources/web/ui/login.html | Yes | |
| /ui/forgot | ../resources/web/ui/forgot.html | Yes | |
| /ui/admin/* | ../resources/web/ui/admin/* | No | 1 |
| /ui/user/* | ../resources/web/ui/user/* and UiUserController using Thymeleaf template files | No | 1, 2 |
| /api/auth/login | AuthenticationController::login() | Yes | |
| /api/auth/forgot | AuthenticationController::login() | Yes | |
| /api/ping | ApiPingPongController::ping() | Yes | |
| /api/pong | ApiPingPongController::pong() | No | 1 |
| /api/v1/* | WildcardController::handle() | Yes | 3 |
Notes:
- Requires user to be authenticated
- UiUserController class handles endpoints and uses Thymeleaf template files from resource folder
- This single method should be able to handle any request (GET/POST/...) starting with /api/v1/** and based on a hardcoded list of values either can serve for public access or check if JWT token is present and valid (meaning validation should be inside this method. I can validate JWT inhere, so I don't need a solution for that. Just wanted to add it so you know this endpoint is special compared to most examples around.
I've listed lots of endpoints, but only because I haven't been able to combine all of these and security public/non-public and can't find any examples on the Internet that combines all of these.
What I have so far:
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.cors().and()
.csrf().disable()
.authorizeRequests()
// Public static files
.antMatchers(HttpMethod.GET, "/ui/login", "/ui/forgot", "/ui/media/**", "/ui/style/**", "/ui/script/**").permitAll()
// User static files based on Thymeleaf
.antMatchers(HttpMethod.GET,"/ui/user/**").hasRole("USER")
// Administration static file
.antMatchers(HttpMethod.GET,"/ui/admin/**").hasRole("ADMIN")
// Authentication REST endpoints
.antMatchers(HttpMethod.POST, "/api/auth/login").permitAll()
.antMatchers(HttpMethod.POST, "/api/auth/forgot").permitAll()
// /api/ping, /api/pong endpoints
.antMatchers("/api/ping").permitAll()
.antMatchers("/api/pong").hasAnyRole("USER", "ADMIN")
// /api/v1/** endpoint
.antMatchers("/api/v1/**").permitAll()
.anyRequest().authenticated().and()
// JWT filter
.addFilterAfter(new JWTAuthorizationFilter(), UsernamePasswordAuthenticationFilter.class)
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring()
.antMatchers("/resources/**");
}
}
The authentication process and REST endpoints works, but the Thymeleaf endpoint can not find resource files and the static files are not accessible at all (even public or authenticated).
I've tried so many combinations for the last 3 weeks that I am really close to giving up on this.
Can someone point me in the right direction?
