I created a Spring Security configuration class for Spring-Boot. My login page has resources css, js and ico files. The resources are getting denied for security reasons and redirected to login page each time. Why does EnableWebMVCSecurity not add the Classpath resource location. After changing the code as in the second snippet the I Classpath resource location is added. dont understand what I am missing for the resources in the first code snippet.
@Configuration
/*
* Enable Spring Security’s web security support and provide the Spring MVC integration
* It also extends WebSecurityConfigurerAdapter
and overrides a couple of its methods to set some specifics of the web security configuration.
*/
@EnableWebMvcSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
/**
* The configure(HttpSecurity) method defines with URL paths should be
* secured and which should not.
*/
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest().authenticated();
// There is a custom "/login" page specified by loginPage(), and everyone
// is allowed to view it.
http
.formLogin()
.loginPage("/login.html")
.permitAll()
.and()
.logout()
.permitAll().logoutSuccessUrl("/login.html");
}
@Configuration
protected static class AuthenticationConfiguration extends
GlobalAuthenticationConfigurerAdapter {
@Override
public void init(AuthenticationManagerBuilder auth) throws Exception {
// As for the configure(AuthenticationManagerBuilder) method, it sets up
// an in-memory user store with a single user. That user is given a
// username of "user", a password of "password", and a role of "USER".
auth
.inMemoryAuthentication()
.withUser("[email protected]").password("password").roles("USER");
}
}
I got this working by changing the code to
@Configuration
/*
* Enable Spring Security’s web security support and provide the Spring MVC integration
* It also extends WebSecurityConfigurerAdapter
and overrides a couple of its methods to set some specifics of the web security configuration.
*/
public class WebSecurityConfig{
@Bean
public ApplicationSecurity applicationSecurity() {
return new ApplicationSecurity();
}
@Bean
public AuthenticationSecurity authenticationSecurity() {
return new AuthenticationSecurity();
}
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
protected static class ApplicationSecurity extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest().authenticated();
http
.formLogin()
.loginPage("/login.html")
.permitAll()
.and()
.logout()
.permitAll().logoutSuccessUrl("/login.html");
}
}
@Order(Ordered.HIGHEST_PRECEDENCE + 10)
protected static class AuthenticationSecurity extends
GlobalAuthenticationConfigurerAdapter {
@Override
public void init(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.withUser("[email protected]").password("password").roles("USER");
}
}
}
After changing the code I noticed that the Ignore paths were added to the filter and I see the following in logs:
[ost-startStop-1] o.s.s.web.DefaultSecurityFilterChain : Creating filter chain: Ant [pattern='/css/**'], [] [ost-startStop-1] o.s.s.web.DefaultSecurityFilterChain : Creating filter chain: Ant [pattern='/js/**'], [] [ost-startStop-1] o.s.s.web.DefaultSecurityFilterChain : Creating filter chain: Ant [pattern='/images/**'], [] [ost-startStop-1] o.s.s.web.DefaultSecurityFilterChain : Creating filter chain: Ant [pattern='/**/favicon.ico'], [] [ost-startStop-1] o.s.s.web.DefaultSecurityFilterChain : Creating filter chain: org.springframework.security.web.util.matcher.AnyRequestMatcher@1, [org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@4e3e0069, org.springframework.security.web.context.SecurityContextPersistenceFilter@3d2dd0cf, org.springframework.security.web.header.HeaderWriterFilter@33fc3b02, org.springframework.security.web.csrf.CsrfFilter@9b7a3ac, org.springframework.security.web.authentication.logout.LogoutFilter@267237ef, org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter@129495ef, org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter@7db0a467, org.springframework.security.web.authentication.www.BasicAuthenticationFilter@764d1dbd, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@25a5268d, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@15c01d0c, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@37818a3b, org.springframework.security.web.session.SessionManagementFilter@3fe57e49, org.springframework.security.web.access.ExceptionTranslationFilter@4278af59, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@424bef91]