Menu
I have the below config in my application.yml
server:
#address:
port: 8443
sessionTimeout: 30
ssl:
client-auth: need
key-store: keyStore.jks
key-store-password: 12345
key-password: datacert
protocol: TLS
trust-store: truststore.jks
trust-store-password: 12345
Since I have client-auth: need, my application is prompting for certificate for all the URL's, is there anyway I can bypass client auth for some specific URL's like /info or \health URLs?
516
Securing the URLs The most common methods are: authenticated(): This is the URL you want to protect, and requires the user to login. permitAll(): This is used for URL's with no security applied for example css, javascript. hasRole(String role): Restrict to single role.
If you find that specific auto-configure classes are being applied that you don't want, you can use the exclude attribute of @EnableAutoConfiguration to disable them. If the class is not on the classpath, you can use the excludeName attribute of the annotation and specify the fully qualified name instead.
enabled=false and management. security. enabled=false should be set to disable the security.
Spring boot does not allow to mix http and https. It is also not suggested to mix the URL's with insecure pages.
If you need only certain URL's to be secure please implement a custom authentication as by default the SSL handshake will happen for each and every request.
You can refer these discussions: How set up Spring Boot to run HTTPS / HTTP ports
For instance the request will reach to the server only after it is authenticated.
You may try to create and capture the request using Filters but I doubt that you will get the request at server before it is authenticated by web server.
e.g. Try adding java Filter and capture the required URL's to filter secure and non secure. (Filter is configurable under web.xml or as annotation). Other option is to try Spring Security filter chain proxy.
72
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
