spring security 3.2 java configuration

Question

I follow spring security 3.2 doc to write a sample app. http.authorizeRequests().anyRequest().authenticated() is this mean any request is deny who is not login? But i access any url it's accessable. Is something config i has missing?

@Configuration
public class SpringWebMVCApplicationInitializer extends AbstractAnnotationConfigDispatcherServletInitializer {

    @Override
    protected Class<?>[] getRootConfigClasses() {
        return new Class[] { SecurityConfig.class };
    }

    @Override
    protected Class<?>[] getServletConfigClasses() {
        return new Class[] { WebConfig.class };
    }

    @Override
    protected String[] getServletMappings() {
        return new String[] { "/" };
    }

}

springmvc config

@Configuration
@EnableWebMvc
@ComponentScan("org.jxs.mm.controller")
public class WebConfig extends WebMvcConfigurerAdapter {

    @Override
    public void addResourceHandlers(ResourceHandlerRegistry registry) {
        registry.addResourceHandler("/assets/**").addResourceLocations("/assets/");
        registry.addResourceHandler("/favicon.ico").addResourceLocations("/favicon.ico");
    }

}

spring security config

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
        .authorizeRequests()
            .anyRequest().authenticated();
    }
}

Answer 1

You can grant access to a particular RESTFul Url that require no authentication with keyword "permitAll" and "hasAnyAuthority" for pages that do.

           http 
             .formLogin() 
                  .loginPage("/signin") 
                  .loginProcessingUrl("/signin/authenticate") 
                  .failureUrl("/loginfail") 
                  // Grant all access to login url 
                  .permitAll() 
                  .and() 
              .logout() 
                .logoutUrl("/signout") 
                .logoutSuccessUrl("/signin") 
                .and() 
                .authorizeRequests() 
                    .antMatchers("/foo/**").permitAll() //No authentication required 
                    .antMatchers("/").hasAnyAuthority("ROLE_USER","ROLE_ADMIN") //Authentication required (access granted to users with role "ROLE_USER" or "ROLE_ADMIN")

      } 

Answer 2

You probably haven't registered your springSecurityFilterChain with the war. See section 3.1.1 in Spring Security documentation

To summarize:

SecurityConfig class defines your Spring Security configuration. It configures the springSecurityFilterChain filter.

However, this filter chain needs to be applied to/registered with/associated with all URLs in your application (so that the URLs get intercepted by the springSecurityFilterChain). This can be done by extending AbstractSecurityWebApplicationInitializer like so:

import org.springframework.security.web.context.*;

public class SecurityWebApplicationInitializer
      extends AbstractSecurityWebApplicationInitializer {

}

After this, Spring Security should intercept any URL and apply the appropriate security rules as configured.