0

I have a spring boot app and definied a oauth2 client through the properites file:

spring.security.oauth2.client.provider.azure.issuer-uri=https://login.microsoftonline.com/tenantid/v2.0
spring.security.oauth2.client.registration.azure.provider=azure
spring.security.oauth2.client.registration.azure.client-id=clientid
spring.security.oauth2.client.registration.azure.client-secret=secret
spring.security.oauth2.client.registration.azure.scope=openid,email,profile
spring.security.oauth2.client.registration.azure.redirect-uri={baseUrl}/login/oauth2/code/

That works fine. But now i want to add a public landing page that is a html file in the static folder.

So i implemented this:

@Bean
SecurityFilterChain web(HttpSecurity http) throws Exception {
    http=http.authorizeHttpRequests(authorize -> {
        try {
            authorize                                  
                .requestMatchers("/resources/static/*.html","/static/*.html","/assets/**").permitAll()  
                .anyRequest().authenticated() 
                .and()
                    .oauth2Login()
                    .userInfoEndpoint().oidcUserService(new AzureOAuth2UserService());
        } catch (Exception e) {
            e.printStackTrace();
        }
    }                                              
    );   
    return http.build();
}

The problem is that when i start the spring boot app and try to nagivate to the html file it still gets forwarded to the oauth2 authentication. This is in the log. It seems like its not taking my code from the securityFilterChain:

2023-04-06 08:02:55,200 DEBUG org.springframework.security.web.FilterChainProxy: Securing GET /home.html
2023-04-06 08:02:55,201 TRACE org.springframework.security.web.csrf.CsrfFilter: Did not protect against CSRF since request did not match CsrfNotRequired [TRACE, HEAD, GET, OPTIONS]
2023-04-06 08:02:55,209 DEBUG org.springframework.web.servlet.handler.AbstractHandlerMapping: Mapped to ResourceHttpRequestHandler [classpath [META-INF/resources/], classpath [resources/], classpath [static/], classpath [resources/static/], classpath [public/]]
2023-04-06 08:02:55,213 DEBUG org.springframework.web.servlet.handler.AbstractHandlerMapping: Mapped to ResourceHttpRequestHandler [classpath [META-INF/resources/], classpath [resources/], classpath [static/], classpath [resources/static/], classpath [public/]]
2023-04-06 08:02:55,215 DEBUG  org.springframework.web.servlet.handler.AbstractHandlerMapping: Mapped to ResourceHttpRequestHandler [classpath [META-INF/resources/], classpath [resources/], classpath [static/], classpath [resources/static/], classpath [public/]]
2023-04-06 08:02:55,215 DEBUG  org.springframework.security.web.authentication.AnonymousAuthenticationFilter: Set SecurityContextHolder to anonymous SecurityContext
2023-04-06 08:02:55,219 DEBUG org.springframework.security.web.savedrequest.HttpSessionRequestCache: Saved request https://localhost:9520/home.html?continue to session
2023-04-06 08:02:55,219 DEBUG  org.springframework.security.web.authentication.DelegatingAuthenticationEntryPoint: Trying to match using And [Not [RequestHeaderRequestMatcher [expectedHeaderName=X-Requested-With, expectedHeaderValue=XMLHttpRequest]], Not [And [Or [Ant [pattern='/login'], Ant [pattern='/favicon.ico']], And [Not [RequestHeaderRequestMatcher [expectedHeaderName=X-Requested-With, expectedHeaderValue=XMLHttpRequest]], MediaTypeRequestMatcher [contentNegotiationStrategy=org.springframework.web.accept.ContentNegotiationManager@6df459fe, matchingMediaTypes=[application/xhtml+xml, image/*, text/html, text/plain], useEquals=false, ignoredMediaTypes=[*/*]]]]], org.springframework.security.config.annotation.web.configurers.oauth2.client.OAuth2LoginConfigurer$$Lambda$1603/0x00000008016d8000@24a508]
2023-04-06 08:02:55,221 DEBUG org.springframework.security.web.authentication.DelegatingAuthenticationEntryPoint: Match found! Executing org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint@35b68350
2023-04-06 08:02:55,221 DEBUG org.springframework.security.web.DefaultRedirectStrategy: Redirecting to https://localhost:9520/oauth2/authorization/azure
2023-04-06 08:02:55,272 DEBUG [https-jsse-nio-9520-exec-2] org.springframework.security.web.FilterChainProxy: Securing GET /oauth2/authorization/azure

Has anybody any idea why it doesnt work

user2316219
  • 304
  • 1
  • 11
  • 1
    Does this answer your question? [Serving static web resources in Spring Boot & Spring Security application](https://stackoverflow.com/questions/24916894/serving-static-web-resources-in-spring-boot-spring-security-application) – Eleftheria Stein-Kousathana Apr 06 '23 at 08:16
  • I tried it and it doesnt work with the latest version of spring. In Fact it seems everything you put requestMatchers to allow is completly ignored – user2316219 Apr 06 '23 at 08:23
  • 1
    No, it's just that your matchers are broken. You obviously did not understand the accepted answer to the question linked. Read it again. – ch4mp Apr 06 '23 at 19:28
  • I know that its wrong. Can you then Tell me whats wrong rather then telling me its wrong. – user2316219 Apr 10 '23 at 05:19

0 Answers0