Reputation:
Spring Security don't allow resouce
I have configuration
http.csrf().disable();
http.authorizeRequests()
.antMatchers("/**").authenticated()
.antMatchers("/shutdown").permitAll()
.and().formLogin().passwordParameter("password").usernameParameter("username")
.and().formLogin().loginPage("/authentication.html").permitAll()
.and().formLogin().loginProcessingUrl("/login")
.and().formLogin().failureUrl("/authentication.html")
.and().formLogin().defaultSuccessUrl("/",false);
Authentication works perfectly but I don't have access to /shutdown without authentication. What could be the reason of this?
/shutdown - Shutdown hook of spring boot.
Upvotes: 1
Views: 1339
Answers (3)
Reputation: 21730
As already mentioned "/**" means any request and only the first pattern that is matched will be used. One thing to note is that you can cleanup your configuration quite a bit. See the cleaner version below:
http
.csrf().disable()
.authorizeRequests()
.antMatchers("/shutdown").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/authentication.html")
.loginProcessingUrl("/login")
.failureUrl("/authentication.html")
.permitAll();
Highlights of the changes:
- You should not ever need to type http twice. You can do this of course, but it is not required and it saves you typing
- .antMatchers("/**") has an alias of .anyRequest() which reads a lot nicer
- when specifying properties for .formLogin() you only need to specify .formLogin() once. Like, http, you can state it multiple times, but it is a lot more concise not to do this
- defaultSuccessUrl does not need the false parameter (it is the equivalent of omitting the parameter all together). For example, instead of .defaultSuccessUrl("/", false), you can state .defaultSuccessUrl("/"). Furthermore, the default value for .defaultSuccessUrl is already "/". This means you can remove it all together.
- You will notice that I follow an exact formatting for the JavaConfig that is outlined in this blog
Upvotes: 4
Reputation: 1784
It is intentionally designed that way. See the Actuator endpoints description in Spring Boot Guide. And for a good reason. It's a bad idea to leave the shutdown hook open without any security. Anyone who knows the url could shutdown your application.
Upvotes: 0
Reputation: 149185
It's normal. Spring tries patterns in sequence and stops at the first that matches. As your first pattern is /** it catches all and next patterns are not even analyzed. You should always put the catchall as last pattern :
http.csrf().disable();
http.authorizeRequests()
.antMatchers("/shutdown").permitAll()
.antMatchers("/**").authenticated()
.and().formLogin().passwordParameter("password").usernameParameter("username")
.and().formLogin().loginPage("/authentication.html").permitAll()
.and().formLogin().loginProcessingUrl("/login")
.and().formLogin().failureUrl("/authentication.html")
.and().formLogin().defaultSuccessUrl("/",false);
Upvotes: 0
Related Questions
- Spring boot Security Disable security
- Spring Boot - spring security authorization issues
- spring security StackOverflow Error
- Forbidden with Spring Security and @Secured
- Spring boot with Spring Security j_spring_security_check not allowed
- Spring security configuration error
- failed to switch off the Spring Boot security configuration
- Spring Security error
- spring error occurs when spring-security-xxx added
- Spring Security Config Error while server startup