Spring Boot Security not ignoring certian url via WebSecurity

0
votes

I am using Spring boot 1.3.2 with Spring Security. I have following configure(HttpSecurity http) method to inforce authentication

    protected void configure(HttpSecurity http) throws Exception {

    RequestMatcher csrfRequestMatcher = new RequestMatcher() {
          private AntPathRequestMatcher[] requestMatchers = {
              new AntPathRequestMatcher("/iams/w/*")
          };
          @Override
          public boolean matches(HttpServletRequest request) {
            for (AntPathRequestMatcher rm : requestMatchers) {
              if (rm.matches(request)) { return true; }
            }
            return false;
          } // method matches

        };      


    http
        .csrf()
        .requireCsrfProtectionMatcher(csrfRequestMatcher)
        .and()
        .authorizeRequests()
            .anyRequest().authenticated()
            .and()
        .requestCache()
            .requestCache(new NullRequestCache())
            .and()
        .httpBasic();
}

and I have following configure(WebSecurity web) method to ignore some of the urls as below;

    public void configure(WebSecurity web) throws Exception {

    web.ignoring().antMatchers(
            "/myapp/docs/**",
            "/myapp/docs/*",
            "/myapp/docs/index.html",
            "/resources/**", 
            "/static/**");

}

But http request to http://127.0.0.1:9000/myapp/docs/index.html still reuires username/password ( authentication ) and returns "status":401,"error":"Unauthorized"... Actually none of the ignore url on WebSecurity is working since it also requires authentication. If I provide the auth then it works. How can I simply ignore some urls (like "/myapp/docs/**" ) here. I have following definition in the SecurityConfig class 

@EnableWebSecurity

@EnableGlobalMethodSecurity(prePostEnabled = true) public class SecurityConfig extends WebSecurityConfigurerAdapter {

What am I missing ? Please Advise.

3
spring-securityspring-bootrestful-authentication

3 Answers

0
votes

There is an error order in your code. 

http
    .csrf()
    .requireCsrfProtectionMatcher(csrfRequestMatcher)
    .and()
    .authorizeRequests()
        .anyRequest().authenticated()
        .and()
    .requestCache()
        .requestCache(new NullRequestCache())
        .and()
    .httpBasic();

Therefore, any request is needed to be authenticated. You can directly use antMatchers.

http
        .authorizeRequests()
        .antMatchers("/iams/w/*")
        .authenticated()
        .and()
        .httpBasic()
        .and()
        .requestCache()
        .requestCache(new NullRequestCache())
        .csrf().disable()

I hope it's helpful for you.

0
votes

Thank you for your response but with your suggestion, my "/iams/w/*" is not protected at all. I can get to all these urls; "/iams/docs/**" , "/iams/w/" and "/iams/api/" without basic auth. Below is the set up as per your suggestion. Here I want to protect "/iams/w" and "/iams/api/" with username/password but let everyone get to "/iams/docs/*" without username/password. This is spring boot restful based implementation but want to expose some urls like docs so that it can be accessed by all and not the api calls.

    public void configure(WebSecurity web) throws Exception {

    web.ignoring().antMatchers(
            "/iams/docs/**",
            "/iams/docs/*",
            "/iams/docs/index.html",
            "/static/**");

}


@Override
protected void configure(HttpSecurity http) throws Exception {

    http
    .authorizeRequests()
    .antMatchers("/iams/api/**","/iams/api/v1/*")
    .authenticated()
    .and()
    .httpBasic()
    .and()
    .requestCache()
    .requestCache(new NullRequestCache())
    .and()
    .csrf().disable();
}
0
votes

It would probably be easier to use as simple a set of patterns as possible to leave unsecured, and then simply say that everything else IS secured.

This may be closer to what you want:

public static final String[] NOT_SECURED = {"/iams/docs/**","/static/**"};

@Override
public void configure(WebSecurity web) throws Exception {
    web.ignoring().antMatchers(NOT_SECURED);
}


@Override
protected void configure(HttpSecurity http) throws Exception {
    http
      .authorizeRequests()
      .antMatchers(NOT_SECURED).permitAll()
      .anyRequest().authenticated()
      .and()
      .httpBasic()
      .and()
      .requestCache()
      .requestCache(new NullRequestCache())
      .and()
      .csrf().disable();
}