What is the difference between these two methods?
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/api/**").permitAll();
}
@Override
public void configure(WebSecurity web) {
web.ignoring().antMatchers("/api/**");
}
In a spring security configuration class when I use the HttpSecurity one it still gives me 403 forbidden, but when I use the WebSecurity one it passes fine? Why is that? I feel like i barely control what is permitted and what needs to be authorized via filter.
I suggest you skim over this article: Spring Security Java Config Preview: Web Security The differences between the two approaches from your codes are:
HttpSecurity
allows configuring web-based security for HTTP requests. At this level, you declare the authentication rules.WebSecurity
allows configuring things that have a global impact o all of the web security, such as setting the debug mode or enabling further firewall configuration using an implementation of the HttpFirewall
or simply ignoring resources as your code shows.You might be interested in the 3rd configure
method of WebSecurityConfigurerAdapter
which uses:
AuthenticationManagerBuilder
that enables and assures the authentication mechanism such as LDAP based authentication or the JDBC based one.It's a bit abstract question and there is a bit abstract answer.
[flow 1] Imagine a big office building, there is a main reception on the ground floor the reception on the ground floor may you let in to the building and if you want to go to the company let's say B they will lead you there, but they can't let you in to any company's office, because they are honest and each office has their own reception and when you came to the B office reception you will need to authenticate there (just guest, anonymous person who wants to see their office, worker/user, admin etc...) and it's only up to them if they let you in any father.
[flow 2] Imagine also that in the same big office building there is restaurant/shop/toilet, when you come to the main reception on the ground floor and ask them where is the restaurant, they will lead you there, you shouldn't authenticate here, they have no idea who you are and they shouldn't: web.ignoring().antMatchers("/restaurant/**");
[flow 3] Imagine that in the same big office building there is a company C which decided to open gallery on their floor (in one room, not in the whole office)
web.ignoring().antMatchers("/C/gallery/**");
http.authorizeRequests().antMatchers("/C/gallery/**").permitAll();
In both cases the result will be the same, the visitor will see gallery of the C company, but in flow with http
there are many steps/persons/(filters in case Spring Security
) involved - it's a bit slower and no need for static resources.
Main reception on the ground floor it's - WebSecurity
it's only one in the whole application/building.
Any company's reception it's WebSecurityConfigurerAdapter
(each WebSecurityConfigurerAdapter
has only one HttpSecurity
) you can have as many of them as you wish and each of them may have totally separated authentication flow, security requirements etc..., but all of them can ask WebSecurity
to give access to some of the resources to anyone without any authentication. WebSecurity
even doesn't know how to authenticate the user - there no such option.
To sum up your question, this two approach should give the same effect, if not that means that WebSecurityConfigurerAdapter
has some additional configuration (by default e.x. crsf etc.) which change the behaviour also WebSecurityConfigurerAdapter
by default has ExceptionTranslationFilter
which catches Security exceptions and returns appropriate status (401, 403). To give you better answer you should provide more details. Create new project just with configuration you showed, disable http.csrf().disable()
.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With