Bootstrap not working when using Spring Security

Question

I´m currently getting my head into Spring Boot and working on a small sample project. But I´m facing a really confusing issue due to using Bootstrap with the Spring-Boot-Security package. When I´m using the following Code, the Page is not displayed with Bootstrap.

My SecurityConfiguration.java looks like this

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@Configuration
public class SecurityConfiguration extends WebSecurityConfigurerAdapter{

    @Override
    protected void configure(HttpSecurity httpSecurity) throws Exception {
        httpSecurity
            .authorizeRequests().antMatchers("/","/products","/product/show/*","/console/**").permitAll()
            .anyRequest().authenticated()
            .and()
            .formLogin().loginPage("/login").permitAll()
            .and()
            .logout().permitAll();

        httpSecurity.csrf().disable();
        httpSecurity.headers().frameOptions().disable();
    }

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth
            .inMemoryAuthentication()
            .withUser("admin").password("{noop}admin").roles("ADMIN")
            .and().withUser("user").password("{noop}user").roles("USER");
    }
}

What I think is a bit confusing is that I get a 301/ Unmodified, but as I tried this to prevent me from caching problems I completely reopened the browser and used a private window.

When I disable almost all security features, my Page is correctly rendered with Bootstrap.

@Configuration
public class SecurityConfiguration extends WebSecurityConfigurerAdapter{

    @Override
    protected void configure(HttpSecurity httpSecurity) throws Exception {
        httpSecurity
            .authorizeRequests().antMatchers("/","/products","/product/show/*","/console/**").permitAll();


        httpSecurity.csrf().disable();
        httpSecurity.headers().frameOptions().disable();
    }
}

I include bootstrap using Webjars

<dependency>
    <groupId>org.webjars</groupId>
    <artifactId>bootstrap</artifactId>
    <version>3.3.4</version>
</dependency>

In my Frontend Code using a template Engine called Thymeleaf. I include bootstrap with the following code:

 <link href="http://cdn.jsdelivr.net/webjars/bootstrap/3.3.4/css/bootstrap.min.css"
          th:href="@{/webjars/bootstrap/3.3.4/css/bootstrap.min.css}"
          rel="stylesheet" media="screen" />

The include above is inside a file called headerinc.html, which is included in the acutal page like this:

<!DOCTYPE html>
<html>
<head lang="en">

    <title>Spring Framework Guru</title>

    <!--/*/ <th:block th:include="fragments/headerinc :: head"></th:block> /*/-->
</head>
<body>

<div class="container">
    <!--/*/ <th:block th:include="fragments/header :: header"></th:block> /*/-->
</div>
</body>
</html>

What cannot be the problem: For Example not using mvn clean / mvn install. I did this.

Can someone point me in the right direction here? Thanks in advance.

Answer 1

Use this to authorize all resource files avaiable in src/main/resources/static folder ,you can add folders accordingly.

//this method allows static resources to be neglected by spring security
    @Override
    public void configure(WebSecurity web) throws Exception {
        web
            .ignoring()
            .antMatchers("/resources/**", "/static/**","/webjars/**");
    }