Reputation: 1168
Unable to load static content in spring security
I have built a basic spring authentication service from this source: https://spring.io/guides/gs/securing-web/
Tried to include JS files from Local folders using almost all solutions on stackoverflow but I couldn't. When the html page loads, it says:
"Uncaught ReferenceError: myFunction is not defined"
Here is my home.html script:
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:sec="http://www.thymeleaf.org/thymeleaf-extras-springsecurity3">
<head>
<title>Spring Security Example</title>
<script type="javascript" src="test.js"></script>
</head>
<body onload="myFunction()">
<h1>Welcome!</h1>
<p>Click <a href="/hello">here</a> to see a greeting.</p>
</body>
</html>
Here is where my js file is located and htmls are placed in templates folder.
here is my mvcConfig code:
package hello;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.config.annotation.ViewControllerRegistry;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
import org.springframework.web.servlet.config.annotation.ResourceHandlerRegistry;
@Configuration
public class MvcConfig implements WebMvcConfigurer {
public void addViewControllers(ViewControllerRegistry registry) {
registry.addViewController("/home").setViewName("home");
registry.addViewController("/").setViewName("home");
registry.addViewController("/hello").setViewName("redirect:http://localhost:3000/home.html");
registry.addViewController("/login").setViewName("login");
}
@Override
public void addResourceHandlers(ResourceHandlerRegistry registry) {
if (!registry.hasMappingForPattern("/webjars/**")) {
registry.addResourceHandler("/webjars/**").addResourceLocations(
"classpath:/META-INF/resources/webjars/");
}
if (!registry.hasMappingForPattern("/**")) {
registry.addResourceHandler("/**").addResourceLocations("classpath:/META-INF/resources/", "classpath:/resources/","classpath:/static/", "classpath:/public/");
}
registry.addResourceHandler("/resources/**")
.addResourceLocations("/resources/");
}
}
WebSecurityConfig code:
package hello;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/", "/home","/resources/**").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.permitAll()
.and()
.logout()
.permitAll();
}
@Bean
@Override
public UserDetailsService userDetailsService() {
UserDetails user =
User.withDefaultPasswordEncoder()
.username("user")
.password("password")
.roles("USER")
.build();
return new InMemoryUserDetailsManager(user);
}
}
Upvotes: 1
Views: 2080
Answers (2)
Reputation: 221
In the WebSecurityConfig class you set permitAll to only '/', '/home', and '/resources/**'. An anonymous user can access these three endpoints without security check.
For test.js file, the src points to test.js in the current url. So when you run it on localhost, the browser tries to find the test.js as http://localhost:{port}/{current-page-url}/test.js
For example, if the page is under /home then the browser calls http://localhost:8080/home/test.js, but as you defined in the WebSecurityConfig any call except /home itself will be blocked by Spring Security. (/home is not the same as /home/**)
So what you need to do is to change the src url to <script src="/resources/test.js"></script> Because anything under the /resources/** endpoint can be accessed by anyone and it is already registered in the resourceHandler configuration in the MvcConfig
registry.addResourceHandler("/resources/**")
.addResourceLocations("classpath:/");
Hope this helps! Happy Coding :)
ADD :
Also the in the <script> tag you should change the type attribute to text/javascript or you can just remove the attribute and it will work.
Upvotes: 1
Reputation: 1
Whatever the folder are in src/main/resources ,you can configure them like this ,Create this method in your security config class,generally we put static resources in static folder inside src/main/resources.
//this method allows static resources to be neglected by spring security
@Override
public void configure(WebSecurity web) throws Exception {
web
.ignoring()
.antMatchers("/resources/**", "/static/**", "/css/**", "/js/**", "/images/**","/assets/**","/fonts/**","/dis/**","/vendor1/**");
}
Upvotes: 1
Related Questions
- Spring Boot serving static content blocked by security
- Spring security does not allow CSS or JS resources to be loaded
- spring security doesn't load the resources (images, css)
- Spring Security not serving static content
- Serving Static Html Files From Spring, cant get with Spring Security
- access static content in secured Spring Boot application
- Spring Boot Not Able to Resolve Static Content
- spring mvc static resources failed to load
- Spring Security is not loading js and css. (giving 404 error)
- unable to allow static resources in spring security 3