We're reworking our product to remove the default "anonymousUser" behavior in SpringSecurity and would like to lock down all URLs (via filter security) with the exception of just a few endpoints. What we can't figure out is how to specify "lock down everything except X, Y, and Z"
Our security setup essentially boils down to the following:
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            // disable anonymous users
            .anonymous().disable()
            // don't add ROLE_ to the role...
            .authorizeRequests()
                .regexMatchers("^/", "^/login", "^/mobile/login", "^/api/auth/.*")
                    .authenticated()
                .and()  
        ;
    }
}
Other routes I've taken have been akin to :
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            // disable anonymous users
            .anonymous().disable()
            // don't add ROLE_ to the role...
            .authorizeRequests()
            .antMatchers("/**")
                .authenticated()
            .antMatchers("/", "/login", "/mobile/login", "/api/auth/**", "/reservations/**")
                .permitAll()
            .and()
        ;
    }
}
Any advice / input would be appreciated.
Thanks!
Show activity on this post. When using permitAll it means every authenticated user, however you disabled anonymous access so that won't work. What you want is to ignore certain URLs for this override the configure method that takes WebSecurity object and ignore the pattern. Show activity on this post.
If Spring Security is on the classpath, Spring Boot automatically secures all HTTP endpoints with “basic” authentication. However, you can further customize the security settings. The first thing you need to do is add Spring Security to the classpath.
Spring Security maintains a filter chain internally where each of the filters has a particular responsibility and filters are added or removed from the configuration depending on which services are required. The ordering of the filters is important as there are dependencies between them.
We're reworking our product to remove the default "anonymousUser" behavior in Spring Security
I'm wondering what you mean by this. Based on the rest of the description, I don't think you need the following (i.e. you should remove it):
anonymous().disabled()
The above says that the user will be null if no user is authenticated, which tends to lead to NullPointerExceptions.
Remember that for authorizeRequests() (or for <intercept-url> ) ordering matters. The Java configuration you have (reformatted slightly for readability)
.authorizeRequests()
    .antMatchers("/**").authenticated()
    .antMatchers("/", "/login", "/mobile/login", "/api/auth/**", "/reservations/**").permitAll()
    .and()
is going to use the following logic:
Instead you should use the following:
.authorizeRequests()
    .antMatchers("/", "/login", "/mobile/login", "/api/auth/**", "/reservations/**").permitAll()
    .anyRequest().authenticated()
    .and()
NOTE: antMatchers("/**") is more concisely represented as anyRequest().
The answer from Rob Winch will be the correct answer in nearly all cases and is the approach that I take in my projects. I do think that it is also worth noting that another possible approach could be to do the following:
public void configure(WebSecurity web) throws Exception {
    web.ignoring().antMatchers("/assets/**", "/index.html");
}
PLEASE NOTE that this is a separate method from the one in the examples you submitted earlier. That method has a parameter of type
HttpSecuritywhile this one is of typeWebSecurity.
What this code sample will do is find any requests that match and completely skip the HTTP security filters all together.
So if you want to optimize some requests that you know will need ZERO of the features that HttpSecurity provides then this could be a good solution. This means that if you use features like csrf(), requestCache(), headers() they WILL NOT be applied to the matching requests from the example above ("/assets/**", "/index.html")
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With