CODEWITHSUNDEEP
spring-security
al gh
al gh

Reputation: 528

Spring Security WebSecurityConfig Ignore certain requests with multiple conditions

I am trying to bypass all the filters and security layers by extending WebSecurityConfigurerAdapter class and implementing configure(WebSecurity web) method.

It works perfectly if I want to have multiple endpoints to be ignored. It works as well if I wanted to ignore either requests with a specific endpoint or having certain request header, but it does not work satisfying two conditions, meaning ignoring a request with certain path and certain request header. It basically ignores if either of those conditions are met. I have tried different variations like:

RequestHeaderRequestMatcher requestHeaderRequestMatcher = new RequestHeaderRequestMatcher(HEADER_HEALTH_CHECK, "1");
AntPathRequestMatcher antPathRequestMatcher = new AntPathRequestMatcher("/healthStats");
web
    .ignoring()
        .requestMatchers(requestHeaderRequestMatcher, antPathRequestMatcher);

web
    .ignoring()
        .requestMatchers(requestHeaderRequestMatcher)
        .antMatchers("/healthStats");

Upvotes: 2

Views: 3052

Answers (1)

dur
dur

Reputation: 17009

You have to combine the two request matchers, see AndRequestMatcher:

RequestMatcher that will return true if all of the passed in RequestMatcher instances match.

Your modified configuration:

RequestHeaderRequestMatcher requestHeaderRequestMatcher = new RequestHeaderRequestMatcher(HEADER_HEALTH_CHECK, "1");
AntPathRequestMatcher antPathRequestMatcher = new AntPathRequestMatcher("/healthStats");
AndRequestMatcher andRequestMatcher = new AndRequestMatcher(requestHeaderRequestMatcher, antPathRequestMatcher);
web
    .ignoring()
        .requestMatchers(andRequestMatcher);

Upvotes: 2

Related Questions