Menu
I want to define something similar to this XML in Spring Boot using Java Config.
<http pattern="/webservices/**" security="none"/>
I need a different way of securing them and cannot do form-logins. Securing them will come later. For now, I want to stop securing them with http.formLogin().
I have overridden WebSecurityConfigurerAdapter.configure() as such. I cannot find an API to say, like this:
http.securityNone().antMatchers("/webservices")
Here is my configure() method now:
@Override
protected void configure(HttpSecurity http) throws Exception
http.csrf().disable();
http.headers().frameOptions().disable();
http.authorizeRequests()
.antMatchers("/resources/**",
//"/services/**", THIS LOGS IN AUTOMATICALLY AS 'ANONYMOUS'. NO GOOD!
//"/remoting/**", THIS LOGS IN AUTOMATICALLY AS 'ANONYMOUS'. NO GOOD!
"/pages/login",
"/pages/loginFailed").permitAll()
// Only authenticated can access these URLs and HTTP METHODs
.antMatchers("/secured/**").authenticated()
.antMatchers(HttpMethod.HEAD,"/**").authenticated()
.antMatchers(HttpMethod.GET,"/**").authenticated()
.antMatchers(HttpMethod.POST,"/**").authenticated()
.antMatchers(HttpMethod.PUT,"/**").authenticated()
.antMatchers(HttpMethod.DELETE,"/**").authenticated();
// Accept FORM-based authentication
http.formLogin()
.failureUrl("/pages/loginFailed")
.defaultSuccessUrl("/")
.loginPage("/pages/login")
.permitAll()
.and()
.logout()
.logoutRequestMatcher(new AntPathRequestMatcher("/pages/logout"))
.logoutSuccessUrl("/pages/login")
.permitAll();
http.formLogin().successHandler(new AppLoginSuccessHandler());
}
618
The first thing you need to do is add Spring Security to the classpath. The WebSecurityConfig class is annotated with @EnableWebSecurity to enable Spring Security's web security support and provide the Spring MVC integration.
What you want is to ignore certain URLs for this override the configure method that takes WebSecurity object and ignore the pattern. And remove that line from the HttpSecurity part. This will tell Spring Security to ignore this URL and don't apply any filters to them.
WebSecurityConfigurerAdapter is a convenience class that allows customization to both WebSecurity and HttpSecurity. We can extend WebSecurityConfigurerAdapter multiple times (in distinct objects) to replicate the behavior of having multiple http elements.
According to the WebSecurityConfigurerAdapter JavaDocs:
/**
* Override this method to configure {@link WebSecurity}. For
* example, if you wish to ignore certain requests.
*/
public void configure(WebSecurity web) throws Exception {
}
You can do that like this:
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring()
.antMatchers("/webservices/**");
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
