Spring Boot serving static content blocked by security

Question

I started Spring Boot + Angular application and for now I want to deploy whole thing as a jar. So I created maven config, where angular app gets built and then is copied to /target/classes/resources

But every request to root (localhost:8080) gets blocked by security. When I disable it i can see the page, which means the whole thing is deployed correctly, but somehow spring does not allow me to see it. Here is my simple security config, I want static resources to be unprotected, while any other request requires authentication:

@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                .requestMatchers(PathRequest.toStaticResources().atCommonLocations()).permitAll()
                .anyRequest().authenticated()
                .and().httpBasic();
    }
}

EDIT: A minimal example of my problem is here: https://gitlab.com/jnowacki/security-issue-demo

EDIT 2: I tries all the things from this post: Serving static web resources in Spring Boot & Spring Security application Do I do something wrong on a conceptual level? Is it wrong to serve static content along with Spring Boot app?

Answer 1

Add this additional override:

@Override
public void configure(WebSecurity web) throws Exception {
    web.ignoring()
            .antMatchers(AUTH_WHITELIST);
}

where AUTH_WHITELIST will contain the paths to be ignored. For instance:

private static final String[] SWAGGER_AUTH_WHITELIST = {
        // -- swagger ui
        "/v2/api-docs",
        "/swagger-resources",
        "/swagger-resources/**",
        "/swagger-ui.html",
        "/resources/**"
};

Answer 2

try below.

@Override
public void configure(WebSecurity web) throws Exception {
    web
    .ignoring()
    .antMatchers("/resources/**");
}

Refer spring-securitys-antmatcher

Answer 3

Use this method to allow static resources to be ignored by spring security

//this method allows static resources to be neglected by spring security
    @Override
    public void configure(WebSecurity web) throws Exception {
        web
            .ignoring()
            .antMatchers("/resources/**", "/static/**");
    }

Answer 4

According to StaticResourceLocation docs :

.requestMatchers(PathRequest.toStaticResources().atCommonLocations()).permitAll()

will permit access to CSS, JS, ICO, images and NOT to html .

To permit index.html you can use following configuration:

 http.authorizeRequests()
                .antMatchers("/index.html", "/").permitAll()
                .anyRequest().authenticated()
                .and().httpBasic();

Answer 5

// extends WebSecrityConfiguratesAdapeter

@Configuration
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Overide
    public void configure(WebSecurity web) throws Exception { 
         web.ignoring()
            .antMatchers(HttpMethod.OPTIONS, ALL_ESCAPE)
            .antMatchers("*.js")
            .antMatchers(")
            .antMatchers(BOWER_COMPONENTS)
            .antMatchers(I18N)
            .antMatchers(CONTENT);           
      }
}

Answer 6

you must match real path, or example:

.pathMatchers("/assets/**", "/static/**")
            .permitAll()ere