Menu
I have spring-security securing some paths in my app and leaving others open for anonymous access. The problem I am running into is related to the open parts where I have left the access as "permitAll". I only want to protect certain paths from access by a non-ADMIN but I do want the admin user to be recognizable when they are in the open parts of the path.
Thymeleaf template (partial):
<p>Hello Spring Boot User <span th:text="${username}"/>!</p>
<div sec:authorize="isAnonymous()">isAnonymous</div>
<div sec:authorize="isRememberMe()">isRememberMe</div>
<div sec:authorize="isAuthenticated()">isAuthenticated</div>
<div sec:authorize="isFullyAuthenticated()">isFullyAuthenticated</div>
NOTE: The model defines the username as:
String username = (principal != null ? principal.getName() : "ANONYMOUS");
Config (Java based) - there are multiple types of authentication being used
@Configuration
public static class FormLoginConfigurationAdapter extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.antMatcher("/form/**").authorizeRequests().anyRequest().authenticated()
.and().formLogin().permitAll().loginPage("/form/login").loginProcessingUrl("/form/login")
.and().logout().logoutUrl("/form/logout").invalidateHttpSession(true).logoutSuccessUrl("/");
}
}
@Order(45) // LOW
@Configuration
public static class BasicAuthConfigurationAdapter extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.antMatcher("/basic/**").authorizeRequests().anyRequest().authenticated()
.and().httpBasic();
}
}
There is no security config for the /open path. Just a controller. There is also a controller for the /form path. Those are both something like this (just the path varies for now):
@Controller
@RequestMapping("/open")
public class OpenController extends BaseController {
@RequestMapping({"", "/"})
public String home(HttpServletRequest req, Principal principal, Model model) {
commonModelPopulate(req, principal, model);
return "home"; // name of the template
}
}
If I go to this path /open (not protected) I see:
Hello Spring Boot User ANONYMOUS!
But if I go to this path /form (form login protected - after login) I see:
Hello Spring Boot User admin!
isAuthenticated
isFullyAuthenticated
So I think there might be multiple issues here. The first is that the thymeleaf sec:authorize attributes are not doing anything and the second is that it seems like I can only access the Principal and other security info if I am under a protected path.
Is there a way to protect just one path (and sub paths) but allow the Principal and security data to be accessed everywhere else in my app?
242
Your '/open' resource is not mapped to any Security filters. It looks to me like you need a default WebSecurityConfigurer (with the default path pattern "/**") and marked as permitAll(). It should have a higher @Order than the others so it acts as a fallback.
@Order(67) // LOWEST
@Configuration
public static class NoAuthConfigurationAdapter extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.antMatcher("/**").authorizeRequests().anyRequest().permitAll();
}
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
