Static web resources in Spring Boot + Spring Security + Thymeleaf

0
votes

I'm trying to make Spring Security permit access to static resources to all users, but for now nothing works. When I used jsp in previous project, the solution was simple:

http
                .authorizeRequests()
                .antMatchers("/static/**").permitAll()
                .anyRequest().authenticated()

Static folder was placed inside webapp folder which was the root folder and was easily detected by Spring Security. Now, because of Thymeleaf, there is no webapp folder and all the static folders are placed into src/main/resources. I have no idea, how to create antMatcher for something that is inside resources folder... I tried that:

http
                .authorizeRequests()
                .antMatchers("resources:/static/**").permitAll()
                .anyRequest().authenticated()

It never worked. What is the solution? ps. I have seen a statement that Spring Boot + Spring Security allows this intra-resources access by default, but it does not.

2
javaspring-bootspring-security

2 Answers

2
votes

The solution is found. For my folder structure src/main/resource/static/css I should have used 

.antMatchers("/css/**").permitAll()

instead of

.antMatchers("/static/**").permitAll()
-1
votes

Check my answer there: Spring boot mapping static html

Basically you have to add resource handlers by extending WebMvcConfigurerAdapter to map http://yoursite/static_url_prefix to your static_app_dir directory in your resources directory.

@Override
public void addResourceHandlers(ResourceHandlerRegistry registry) {
    registry.addResourceHandler("/static_url_prefix/**").addResourceLocations("classpath:/static_app_dir/");
    super.addResourceHandlers(registry);
}

This will intercept all request coming to http://yoursite/static_url_prefix and return results from classpath://static_app_dir in your jar file or from /resources/static_app_dir when running application from your IDE.

Spring security can be configured as before as it has nothing to do with it i.e. your first code example seems correct.