Spring Security Not Allowing Static Content

2
votes

I have been fighting with Spring Security for the past few days so I hope someone can help me out here.

  • I am using Spring Boot 1.2.5
  • I was using Spring Actuator and Spring Remote Shell, those have since been removed from the classpath thinking they may be causing issues
  • I excluded SecurityAutoConfiguration on the off chance it was causing my issues

Here is my main class

@SpringBootApplication(exclude = {org.springframework.boot.autoconfigure.security.SecurityAutoConfiguration.class})
public class MyApplication {

    public static void main(String[] args) {
        SpringApplication.run(MyApplication.class, args);
    }
}

Here is my security configuration

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private UserDetailsService userDetailsService;

    @Autowired
    private AuthFailureHandler authFailureHandler;

    @Autowired
    private AuthSuccessHandler authSuccessHandler;

    @Override
    public void configure(WebSecurity web) throws Exception {
        web
                .ignoring()
                    .antMatchers("/css/**")
                    .antMatchers("/js/**")
                    .antMatchers("/images/**");
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .csrf().disable()
                .exceptionHandling()
                .authenticationEntryPoint(new Http403ForbiddenEntryPoint())
                    .accessDeniedPage("/403")
                    .and()
                .authorizeRequests()
                    .antMatchers("/").permitAll()
                    .antMatchers("/about").permitAll()
                    .antMatchers("/login").permitAll()
                    .anyRequest().fullyAuthenticated()
                    .and()
                .formLogin()
                    .usernameParameter("sec-user")
                    .passwordParameter("sec-password")
                    .loginPage("/login")
                    .failureHandler(authFailureHandler)
                    .successHandler(authSuccessHandler)
                    .permitAll()
                    .and()
                .logout()
                    .deleteCookies("JESSIONID")
                    .invalidateHttpSession(true)
                    .permitAll();
    }

    @Override
    public void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth
                .userDetailsService(userDetailsService)
                .passwordEncoder(new BCryptPasswordEncoder());
    }

    @Bean
    @Override
    protected AuthenticationManager authenticationManager() throws Exception {
        return super.authenticationManager();
    }
}

My questions / issues are

  1. CSS, JavaScript, Images, basically no static content will load, and I can't seem to figure out why

  2. What makes things even more interesting, instead of getting a 403 error which is what I would expect, it redirects to the Login page? I don't want that, it should return 403 is they don't have access.

I am calling my static resources from Thymeleaf like so

<link rel="stylesheet" media="screen" th:href="@{/css/main.css}" />

My static resources were working fine before adding security.

My static files are in resources/public/.

This is fine acording to Spring Boot docs

By default Spring Boot will serve static content from a folder called /static (or /public or /resources or /META-INF/resources) in the classpath or from the root of the ServletContext.

1
springspring-mvcspring-securityspring-boot
Why do you have your css/js/images mapped as urls under authorizeRequestes? you shouldn't be listing them there you should be adding them to your resource handlers and have spring do the work.Aeseir
I am using Spring Boot, my understanding is it does that already through its autoconfig because it was all working fine before I added security unless I am not understanding you. They are in /resources/public which spring boot automatically mapsgreyfox
".authorizeRequests().antMatchers("/css/**", "/js/**", "/images/**").permitAll()" is redundant code shouldn't be listed there. You are basically telling the system to expect <domain>/css to be a valid url to access. You can still use resource handlers with Boot. But get rid of that line and give it a whirlAeseir
I updated my config but it still isn't working. When /css/main.css is requested it returns HTML being the login pagegreyfox
how exactly are you trying to load the resources? can you show the view codeAeseir

1 Answers

0
votes

Try adding a resource handler.

public void addResourceHandlers(ResourceHandlerRegistry registry) {

    registry.addResourceHandler("/css/**")
            .addResourceLocations("classpath:/css/**");
    registry.addResourceHandler("/img/**")
            .addResourceLocations("classpath:/img/**");
    registry.addResourceHandler("/resources/**")
            .addResourceLocations("/resources/");
}