All geek questions in one place

Security Configuration Using Spring-boot

I created a Spring configuration class for Spring-Boot. My login page has css, js resources and ico files. Resources are refused for security reasons and are redirected to the login page each time. Why EnableWebMVCSecurity does not add resource location in Classpath. After changing the code, as in the second fragment, the location of the resource i Classpath is added. I don’t understand what I’m missing for the resources in the first code fragment.

@Configuration /* * Enable Spring Security's web security support and provide the Spring MVC integration * It also extends WebSecurityConfigurerAdapter and overrides a couple of its methods to set some specifics of the web security configuration. */ @EnableWebMvcSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter { /** * The configure(HttpSecurity) method defines with URL paths should be * secured and which should not. */ @Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .anyRequest().authenticated(); // There is a custom "/login" page specified by loginPage(), and everyone // is allowed to view it. http .formLogin() .loginPage("/login.html") .permitAll() .and() .logout() .permitAll().logoutSuccessUrl("/login.html"); } @Configuration protected static class AuthenticationConfiguration extends GlobalAuthenticationConfigurerAdapter { @Override public void init(AuthenticationManagerBuilder auth) throws Exception { // As for the configure(AuthenticationManagerBuilder) method, it sets up // an in-memory user store with a single user. That user is given a // username of "user", a password of "password", and a role of "USER". auth .inMemoryAuthentication() .withUser(" user@domain.com ").password("password").roles("USER"); } }

I got this working by changing the code to

 @Configuration /* * Enable Spring Security's web security support and provide the Spring MVC integration * It also extends WebSecurityConfigurerAdapter and overrides a couple of its methods to set some specifics of the web security configuration. */ public class WebSecurityConfig{ @Bean public ApplicationSecurity applicationSecurity() { return new ApplicationSecurity(); } @Bean public AuthenticationSecurity authenticationSecurity() { return new AuthenticationSecurity(); } @Order(SecurityProperties.ACCESS_OVERRIDE_ORDER) protected static class ApplicationSecurity extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .anyRequest().authenticated(); http .formLogin() .loginPage("/login.html") .permitAll() .and() .logout() .permitAll().logoutSuccessUrl("/login.html"); } } @Order(Ordered.HIGHEST_PRECEDENCE + 10) protected static class AuthenticationSecurity extends GlobalAuthenticationConfigurerAdapter { @Override public void init(AuthenticationManagerBuilder auth) throws Exception { auth .inMemoryAuthentication() .withUser(" user@domain.com ").password("password").roles("USER"); } } }

After changing the code, I noticed that the Ignore paths were added to the filter, and I see the following in the logs:

  [ost-startStop-1] ossweb.DefaultSecurityFilterChain: Creating filter chain: Ant [pattern = '/ css / **'], []
 [ost-startStop-1] ossweb.DefaultSecurityFilterChain: Creating filter chain: Ant [pattern = '/ js / **'], []
 [ost-startStop-1] ossweb.DefaultSecurityFilterChain: Creating filter chain: Ant [pattern = '/ images / **'], []
 [ost-startStop-1] ossweb.DefaultSecurityFilterChain: Creating filter chain: Ant [pattern = '/ ** / favicon.ico'], []
 [ost-startStop-1] ossweb.DefaultSecurityFilterChain: Creating filter chain: org.springframework.security.web.util.matcher.AnyRequestMatcher@ 1, [org.springframework.secu rity.web.context.request.async.WebAsyncManagerIntegrationFilter@ 4e3e0069, org.spring framework.security.web.context.SecurityContextPersistenceFilter@ 3d2dd0cf, org.springframework.security.web.header.HeaderWriterFilter@33fc3 b02, org.springframework.security.web.csrf.CsrfFilter@9b7a3ac , org.  springframework.security.web.authentication.logout.LogoutFilter@ 267237ef, org.springframework.s ecurity.web.authentication.UsernamePasswordAuthenticationFilter@ 129495ef, org.springframework.  security.web.authentication.ui.DefaultLoginPageGeneratingFilter@ 7db0a467, org.springfram ework.security.web.authentication.www.BasicAuthenticationFilter@ 764d1dbd, org.sp ringframework.security.web.savedrequest.RequestCacheAwareFilter@ 25a5268d, org.springframework.  security.web.servletapi.SecurityContextHolderAwareRequestFilter@ 15c01d0c, org.springfram ework.security.web.authentication.AnonymousAuthenticationFilter@ 37818a3b, o rg.springframework.security.web.session.SessionManagementFilter@ 3fe57e49, org .springframework.security.web.access.ExceptionTranslationFilter@ 4278af59, org.springfr amework.security.web.access.intercept.FilterSecurityInterceptor@ 424bef91]
+13
source share
3 answers

In docs, you disabled spring boot autostart in the first example using @EnableWebSecurity , so you have to explicitly ignore all static resources manually. In the second example, you simply provide WebSecurityConfigurer , which is additive on top of autoconfig by default.

+11
source

Create a configuration file that extends WebSecurityConfigurerAdapter and annotates the @EnableWebSecurity class

You can override methods like configure(HttpSecurity http) to add basic security, as shown below

 @Configuration @EnableWebSecurity public class AppWebSecurityConfigurer extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .csrf().disable() .authorizeRequests() .anyRequest().permitAll(); } }
+3
source

Add the security bypass method below for CSS and JS in your security configuration -

  @Override public void configure(WebSecurity web) throws Exception { web.ignoring().antMatchers("/css/** **","/js/** **"); }
0
source

Source: https://habr.com/ru/post/1201680/

More articles:


All Articles