CODEWITHSUNDEEP
javaspring
jc1992
jc1992

Reputation: 644

SpringBoot and SpringSecurity Configuration about 404 error page

I have a problem with Spring Security and error pages , becaus when I am logged in the application I can show when the page is not exist.

enter image description here

But when I am out of the application my spring security show the login page by default.

This is my spring security configuration.

@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Autowired
    private BCryptPasswordEncoder bCryptPasswordEncoder;

    @Autowired
    private DataSource dataSource;

    @Value("${spring.queries.users-query}")
    private String usersQuery;

    @Value("${spring.queries.roles-query}")
    private String rolesQuery;

    @Override
    protected void configure(AuthenticationManagerBuilder auth)
            throws Exception {
        auth.
            jdbcAuthentication()
                .usersByUsernameQuery(usersQuery)
                .authoritiesByUsernameQuery(rolesQuery)
                .dataSource(dataSource)
                .passwordEncoder(bCryptPasswordEncoder);
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {

        http.
            authorizeRequests()
                .antMatchers("/").permitAll()
                .antMatchers("/login").permitAll()
                .antMatchers("/registration").permitAll()
                .antMatchers("/admin/**").hasAuthority("ADMIN")
                .antMatchers("/user_login").hasAuthority("USER").anyRequest()
                .authenticated().and().csrf().disable().formLogin()
                .loginPage("/login").failureUrl("/login?error=true")
                .defaultSuccessUrl("/user_login")
                .usernameParameter("email")
                .passwordParameter("password")
                .and().logout()
                .logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
                .logoutSuccessUrl("/")
                .and().exceptionHandling()
                .accessDeniedPage("/access-denied");


    }

    @Override
    public void configure(WebSecurity web) throws Exception {
        web
           .ignoring()
           .antMatchers("/resources/**", "/static/**", "/css/**", "/js/**", "/images/**");
    }

}

This works correctly but I don't know why when I am out of the application I redirect to login page.

Any solution for this?

Regards!

Upvotes: 0

Views: 1348

Answers (1)

Fima Taf
Fima Taf

Reputation: 977

All the requests other than /, /login, /registration requires the user to be authenticated (anyRequest().authenticated()), and when you are enabling formLogin() spring's filters will redirect all the not authenticated requests to the login page even if the page doesn't exits, thats is why you are redirected to the login and not getting a 404 error.

For testing purposes you can add a test matcher without adding an actual endpoint in the controller like this: .antMatchers("/test").permitAll() and try to access this endpoint without being authenticated and you will get the 404 error page.

p.s. make sure that the 404 response is not blocked as well (if it is a controller response then enable it as well, because your js is allowed for everyone).

Upvotes: 1

Related Questions