Reputation: 5045
Exclude URL from requiresSecure()
I have an application where I want to force HTTPS for all requests except one. For that one URL I don't care if it is HTTP/HTTPS.
I currently have the following security config
http.requiresChannel()
.antMatchers("/actuator/health").requiresInsecure()
.antMatchers("/*").requiresSecure();
The issue is that this requires actuators health endpoint to be accessed on HTTPs, but I don't really care what protocol is used (I would prefer both). When you configure authorization you have permitAll, which doesn't care if you are authenticated or not, why is the not a similar mechanism for channel security.
Does anyone know how to exclude a URL from the channel security mechanism.
Upvotes: 1
Views: 699
Answers (2)
Reputation: 61
I think you could try something like this:
http.requiresChannel()
.antMatchers("/actuator/health").requires(ChannelDecisionManagerImpl.ANY_CHANNEL)
.anyRequest().requiresSecure();
Upvotes: 2
Reputation: 6936
you could use a regex-matcher that matches all urls except the one you want to exclude like:
http...
.and()
.requiresChannel()
.regexMatchers("^((?!/actuator/health).)*$").requiresSecure();`
note I'am not a regex-expert (possibly there is improvement needed)
Upvotes: 2
Related Questions
- How to disable spring security for particular url
- Spring Security exclude url patterns in security annotation configurartion
- Allow all URLs but one in Spring security
- Bypass Spring Security Filter for URL
- How to authenticate some URL and ignore anything else
- Spring Security disable security for requests made FROM a certain url
- Do not call Spring Security pre-authentication filter for specific URL and HTTP method
- Failing to exclude some URLs from Spring Security protection
- How to force https on certain URL only on Spring Security?
- Spring Security: Ignore login page by using a special URL parameter