Spring Boot + Spring Security permitAll() and addFilter() configuration does not have effect

6
votes
  1. URL patter with /login should go through the LoginFilter where the user id and password is validated - working fine
  2. URL pattern with /users/register should not go through any of the filer but it is always passing through the JWTAuthentication filter - not working fine
  3. All other URL pattern should go through the JWTAuthentication filter for authorization - working fine

Below is my code for Security Configuration. Kindly help me with what I am missing in this code. How do I configure the filter such that JWT authentication happens for the URL pattern other than /login and /register

Spring-security-core:4.2.3, spring-boot:1.5.4

 protected void configure(HttpSecurity http) throws Exception {
    http.csrf().disable().authorizeRequests()
            .antMatchers("/").permitAll()
            .antMatchers(HttpMethod.POST, "/login").permitAll()
            .antMatchers(HttpMethod.POST, "/users/register").permitAll()
            .anyRequest().authenticated()
            .and()
            // We filter the api/login requests
            .addFilterBefore(new LoginFilter("/login", authenticationManager()),
                    UsernamePasswordAuthenticationFilter.class)
            // And filter other requests to check the presence of JWT in header
            .addFilterBefore(new NoLoginAuthenticationFilter("/users/register"), UsernamePasswordAuthenticationFilter.class)
            .addFilterBefore(new JWTAuthenticationFilter("/**", authenticationManager()),
                    UsernamePasswordAuthenticationFilter.class);

}
1
springspring-security

1 Answers

6
votes

What you want is to ignore certain URLs. For this override the configure method that takes WebSecurity object and ignore the pattern.

Try adding below method override to your config class.

@Override
public void configure(WebSecurity web) throws Exception {
    web
    .ignoring()
    .antMatchers("/users/register/**");
}