Glory to Russia
Reputation: 18730
How to disable authentication for one service in Spring Boot?
I have a Spring Boot application, in which most of the pages are secured (you need to log in to access them) using following security configuration.
@Configuration
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
class SecurityConfiguration extends
WebSecurityConfigurerAdapter {
@Autowired
public void registerAuthentication(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("user")
.password("myapp")
.roles("ADMIN")
.and()
.withUser("guest")
.password("guest")
.roles("USER");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.httpBasic()
.and()
.authorizeRequests()
.antMatchers("/index.html", "/home.html", "/login.html", "/")
.permitAll()
.anyRequest().authenticated().and()
.csrf()
.csrfTokenRepository(csrfTokenRepository())
.and()
.addFilterAfter(new CsrfHeaderFilter(), CsrfFilter.class);
}
private CsrfTokenRepository csrfTokenRepository() {
final HttpSessionCsrfTokenRepository repository =
new HttpSessionCsrfTokenRepository();
repository.setHeaderName("X-XSRF-TOKEN");
return repository;
}
}
In my application class, I have a service publicData, which I want to be accessible without authentication (even, if the user isn't logged in).
@SpringBootApplication
@RestController
public class MyAppApplication {
@RequestMapping("/resource")
public Map<String,Object> home() {
final Map<String,Object> model = new HashMap<>();
model.put("id", UUID.randomUUID().toString());
model.put("content", "Hello World");
return model;
}
@RequestMapping("/publicData")
public String publicData() {
return ...;
}
@RequestMapping("/user")
public Principal user(final Principal user) {
return user;
}
public static void main(final String[] args) {
SpringApplication.run(MyAppApplication.class, args);
}
}
How can I do this?
I tried
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.httpBasic()
.and()
.authorizeRequests()
.antMatchers("/index.html", "/home.html", "/login.html", "/")
.permitAll()
.anyRequest().authenticated().and()
.csrf()
.csrfTokenRepository(csrfTokenRepository())
.and()
.addFilterAfter(new CsrfHeaderFilter(), CsrfFilter.class)
.and()
.authorizeRequests()
.antMatchers("/publicData").permitAll();
}
but it didn't work.
Upvotes: 1
Views: 2439
Answers (1)
paul
Reputation: 13471
You can create a role with all permission to access and grant that access just in some methods using Spring security annotation http://docs.spring.io/spring-security/site/docs/3.0.x/reference/el-access.html
Of course every user need to get this role automatically when he connect in your application.
<http use-expressions="true">
<intercept-url pattern="/*"
access="hasRole('admin')"/>
</http>
Then in your free access method
@PreAuthorize("hasRole('admin')")
public void create(Contact contact);
Upvotes: 1
Related Questions
- Spring Boot 2.0: how to disable security for a particular endpoint
- Spring boot: Permit specific services to avoid security
- How to turn off Spring Security in Spring Boot Application
- Disable Basic Authentication(Spring Security) for one request and leave for all any
- How can I disable authentication for a specific endpoint?
- Disable Basic Authentication while using Spring Security Java configuration
- Spring security configuration: enable/disable authentication
- How to allow certain endpoint in spring security to be allowed without authentication?
- Spring boot + Spring Security: how to suppress the basic auth form
- Spring Security : bypass @Secured for specific service