I am working on a Spring Boot
project using Spring Security
and I have the following problem trying to allow access to a test index.html
page declared inside my project.
Basically I have the following situation. Into my project I have this folder: src/main/resources/static
folder containing the index.html
file.
The Spring Boot
Tomcat
server run on the 8019
port, in-fact this is the start-up log:
[2m2022-02-17 17:04:06.882[0;39m [32m INFO[0;39m [35m16062[0;39m [2m---[0;39m [2m[ restartedMain][0;39m [36mo.s.b.w.embedded.tomcat.TomcatWebServer [0;39m [2m:[0;39m Tomcat started on port(s): 8019 (http) with context path ''
So I try to run this index.html
file in my browser opening this URL: http://localhost:8019/index.html
But I am obtaining this error message:
Whitelabel Error Page
This application has no explicit mapping for /error, so you are seeing this as a fallback.
Thu Feb 17 17:03:54 CET 2022
There was an unexpected error (type=Forbidden, status=403).
Access Denied
I also tried to add a permitAll()
rule into my Spring Security
configuration class, this one:
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Autowired
@Qualifier("customUserDetailsService")
private UserDetailsService userDetailsService;
@Autowired
private JwtConfig jwtConfig;
@Autowired
private JwtTokenUtil jwtTokenUtil;
//private static final String[] USER_MATCHER = { "/api/utenti/cerca/**"};
//private static final String[] ADMIN_MATCHER = { "/api/utenti/inserisci/**", "/api/utenti/elimina/**" };
private static final String[] USER_MATCHER = { "/api/users/email/**"};
private static final String[] ADMIN_MATCHER = {
"/api/users/email/**",
"/api/admin/**"
};
private static final String[] COMMON_MATCHER = {
"/api/admin/user/{id}/wallet"
};
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception
{
auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder());
}
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception
{
return super.authenticationManagerBean();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
/*
* NOTE:
* Using hasRole expects the authority names to start with 'ROLE_' prefix
* Instead, we use hasAuthority as we can use the names as it is
*/
http.csrf().disable()
.authorizeRequests()
.antMatchers(USER_MATCHER).hasAnyAuthority("CLIENT")
.antMatchers(COMMON_MATCHER).hasAnyAuthority("ADMIN","CLIENT")
.antMatchers(ADMIN_MATCHER).hasAnyAuthority("ADMIN")
.antMatchers("/api/users/test").authenticated()
.antMatchers(HttpMethod.GET, "http://localhost:8019/index.html").permitAll()
.antMatchers(HttpMethod.POST, jwtConfig.getUri()).permitAll()
.anyRequest().denyAll()
.and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
http.addFilterBefore(
new TokenVerificationFilter(authenticationManager(), jwtConfig, jwtTokenUtil),UsernamePasswordAuthenticationFilter.class);
}
/* To allow Pre-flight [OPTIONS] request from browser */
@Override
public void configure(WebSecurity web)
{
web.ignoring().antMatchers(HttpMethod.OPTIONS, "/**");
web.ignoring().antMatchers("/swagger-ui/**",
"/webjars/**",
"/v2/**",
"/swagger-resources/**",
"/swagger-ui.html");
}
@Bean
public BCryptPasswordEncoder passwordEncoder()
{
return new BCryptPasswordEncoder();
};
}
So as you can see I added this configuration line:
.antMatchers(HttpMethod.POST, jwtConfig.getUri()).permitAll()
But it is not working and I still not access to this URL and to the page contained into my index.html
file.
Disabling Spring Security it works fine so the problem must be in the Spring Security configuration
I see two things in your configuration that could be causing this. First, you're adding a custom filter, if that filter sets a 403 on the response then the rest of the configuration won't apply, so check the doFilter
method in TokenVerificationFilter
.
The other culprit could be in your matcher, in which you've included not only the path, but also the protocol, host, and port. Limit this matcher to just /index.html
and you should be set.
Also, to throw another solution your way... You've already got an ignoring section in your public void configure(WebSecurity web)
method, just add /index.html
to your list of ignores, that's effectively what you're trying to do anyway:)
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.