Stefano Pisano
Stefano Pisano

Reputation: 438

How to allow request from a certain url with spring security

I'm developing a simple project in order to learn something about spring.

I've created the login page and all the authentication management, now I'm trying to build the registration page, I've done both backend and frontend side but I have a problem.

The button 'Save' send a post request with path user/signup but it fails, the network console says 302, I think that it is a security problem because if I authenticate and then I try to register a user the request is successfull. So maybe I need to say to spring security that the registration request must be available for all user, also for the unauthenticated ones. I put the path user/signup in spring boot but it doesn't works, I also tried using only /signup

@Override
    public void configure(WebSecurity web) throws Exception {
      web.ignoring().antMatchers("/script/**", "/css/**", "/getRegisterPage","user/signup");
    }

This is the project: https://github.com/StefanoPisano/expenses (branch 0.2)

Upvotes: 3

Views: 9664

Answers (2)

Lemmy
Lemmy

Reputation: 2575

This

web.ignoring().antMatchers("/script/**", "/css/**", "/getRegisterPage","/user/signup");

will ignore all request with these pattern.

What you need is:

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
        .authorizeRequests()
            .antMatchers("/resources/**", "/user/signup").permitAll()
            .anyRequest().fullyAuthenticated()
            .and()
        .formLogin()
            .loginPage("/getLoginPage")
            .loginProcessingUrl("/login")
            .usernameParameter("username")
            .passwordParameter("password")
            .defaultSuccessUrl("/home", true)
            .permitAll();

    http
        .csrf().disable();
}

permitAll() - Allow anyone (including unauthenticated users) to access to the URL. Check this for more information https://docs.spring.io/spring-security/site/docs/current/reference/html/jc.html

Upvotes: 2

Sébastien Temprado
Sébastien Temprado

Reputation: 1463

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.authorizeRequests()
            .antMatchers("/script/**", "/css/**", "/getRegisterPage","/user/signup").permitAll()
            .anyRequest().authenticated()
            .and()
        .formLogin()
            .loginPage("/getLoginPage")
            .loginProcessingUrl("/login")
            .usernameParameter("username")
            .passwordParameter("password")
            .defaultSuccessUrl("/home", true)
    .permitAll();
}

Upvotes: 2

Related Questions