CODEWITHSUNDEEP
spring-bootspring-security
Lee
Lee

Reputation: 41

How can I configure Spring Security 6 to ignore the static resources folder?

I am storing my public web resources (CSS, JS) in the 'static' folder, with the following path: 'java/com/myapp/resources/static/**'. Here my configuration classes:

SecurityConfig.java

@Configuration
@EnableWebSecurity
public class SecurityConfig {
    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http
                .authorizeHttpRequests(authorize -> authorize
                        .anyRequest().authenticated())
                .formLogin(form -> form
                        .loginPage("/login")
                        .permitAll());
        return http.build();
    }

    @Bean
    public WebSecurityCustomizer webSecurityCustomizer() throws Exception {
        return (web) -> web.ignoring().antMatchers("/resources/static/**");
    }

}

And ResourceConfig.java

@Configuration
public class ResourceConfig implements WebMvcConfigurer {

    @Override
    public void addResourceHandlers(ResourceHandlerRegistry registry) { 
        registry.addResourceHandler("/static/**")
            .addResourceLocations("classpath:/static/");
    }
    
}

It worked on Spring Security version 5.x.x, but in the current version of Spring Security (which is 6.0.3), the method 'antMatchers(String)' is undefined for the type 'WebSecurity.IgnoredRequestConfigurer', so I can't configure it in the same way anymore.

I read this document (https://docs.spring.io/spring-security/reference/5.8/migration/servlet/config.html#use-new-requestmatchers) which stated that I can replace the deprecated 'antMatchers' methods with 'requestMatchers', like so:

@Bean
public WebSecurityCustomizer webSecurityCustomizer() {
    return (web) -> web.ignoring().requestMatchers("/resources/static/**");
}

However, even after making this change, my CSS files are still missing. So, I would like to ask: how can I configure Spring Security 6 to ignore the static resources folder? Thank you.

Upvotes: 4

Views: 9317

Answers (3)

Arkadiusz Zięba
Arkadiusz Zięba

Reputation: 1

You can try something like this:

public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http.csrf(AbstractHttpConfigurer::disable)
                .authorizeHttpRequests(auth -> {
                    auth.requestMatchers("/css/**").permitAll();
                    auth.anyRequest().authenticated();
                })
                .formLogin(form ->form
                        .loginPage("/login")
                        .permitAll()
                );
        return http.build();

}

Upvotes: 0

Gabriel Bernardes
Gabriel Bernardes

Reputation: 1

On requestMatchers add new AntPathRequestMatcher("YOUR PATH"):


@Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        return http.csrf().disable()
                .authorizeHttpRequests().
                       requestMatchers(new AntPathRequestMatcher("/images/**")).permitAll()
                    .anyRequest()
                    .authenticated()
                    .and()
                .build();
    }

Upvotes: 0

jh.c
jh.c

Reputation: 1

It’s more secure because even with static resources it’s important to write secure headers, which Spring Security cannot do if the request is ignored.

In this past, this came with a performance tradeoff since the session was consulted by Spring Security on every request. As of Spring Security 6, however, the session is no longer pinged unless required by the authorization rule. Because the performance impact is now addressed, Spring Security recommends using at least permitAll for all requests.

https://docs.spring.io/spring-security/reference/6.1-SNAPSHOT/servlet/authorization/authorize-http-requests.html#favor-permitall

Upvotes: 0

Related Questions