Spring Security not serving static content

Question

I'm trying to get spring security to allow the serving of static files like .css .js etc. without need to login first.

I've tried creating MVC config with resource handler and changing rules in spring security config, but nothing seems to be working.

MvcConfig.java:

@Configuration
@EnableWebMvc
public class MvcConfig implements WebMvcConfigurer {

@Override
public void addResourceHandlers(ResourceHandlerRegistry registry) {
registry.addResourceHandler("/assets/**")
        .addResourceLocations("/assets/");
}

}

SecurityConfig.java:

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
            .antMatchers("/", "/assets/**")
            .permitAll()
            .anyRequest()
            .authenticated()
            .and()
            .formLogin()
            .loginPage("/login")
            .permitAll()
            .and()
            .logout()
            .permitAll();
}

@Override
public void configure(WebSecurity web) {
    web.ignoring().antMatchers("/assets/**");
}

}

When I go to http://localhost:8080/assets/js/particles.min.js I'm expecting it to return the file contents but every time I try links like localhost:8080/assets/* it returns the content of login.html

My assets files My project files

Answer 1

Supposing that your static files are under src/main/resources :

There are two main pieces to configure:

Implement the WebMvcConfigurer interface to discover your static resources:

@Configuration
public class MvcConfig implements WebMvcConfigurer {

    @Override
    public void addResourceHandlers(ResourceHandlerRegistry registry) {
        if (!registry.hasMappingForPattern("/assets/**")) {
            registry.addResourceHandler("/assets/**")
                    .addResourceLocations("/assets/");
        }
    }
}

Setup your security configuration to allow static resources (such as CSS, JavaScripts and images) to be publicly accessible:

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(securedEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

  // Your settings

    @Override  
    protected void configure(HttpSecurity http) throws Exception {

        // Your AuthN handlers and filter chain...

        http        
            .authorizeRequests()
                .antMatchers("/").permitAll()
                .antMatchers("/css/**").permitAll()
                .antMatchers("/img/**").permitAll()
                .antMatchers("/js/**").permitAll()
                .anyRequest().authenticated();

        // Logout handler...
    }
}

Supposing that you have a CSS file as follows:

src/main/resources/assets/css/layout.css

The web server will make it accessible at:

http://<root_url>:<port>/css/layout.css

Answer 2

Try to change to:

http.authorizeRequests()
        .antMatchers("/").permitAll()
        .antMatchers("/assets/").permitAll()
        .and()
        .authorizeRequests()
        .anyRequest()
        .authenticated()
        .and()
        .formLogin()
        .loginPage("/login")
        .permitAll()
        .and()
        .logout()
        .permitAll();

Answer 3

web.ignoring().antMatchers("/assets/**");

The statement above will tell spring security to Ignore any request that starts with “/assets/” . So if i were you, i will remove all the following configuration:

.antMatchers("/", "/assets/**")
        .permitAll()

fom the configure(HttpSecurity http) method.