Access Denied (Status 403) error message trying to access index.html file declared in Spring Boot project

Question

I am working on a Spring Boot project using Spring Security and I have the following problem trying to allow access to a test index.html page declared inside my project.

Basically I have the following situation. Into my project I have this folder: src/main/resources/static folder containing the index.html file.

The Spring Boot Tomcat server run on the 8019 port, in-fact this is the start-up log:

[2m2022-02-17 17:04:06.882[0;39m [32m INFO[0;39m [35m16062[0;39m [2m---[0;39m [2m[  restartedMain][0;39m [36mo.s.b.w.embedded.tomcat.TomcatWebServer [0;39m [2m:[0;39m Tomcat started on port(s): 8019 (http) with context path ''

So I try to run this index.html file in my browser opening this URL: http://localhost:8019/index.html

But I am obtaining this error message:

Whitelabel Error Page
This application has no explicit mapping for /error, so you are seeing this as a fallback.

Thu Feb 17 17:03:54 CET 2022
There was an unexpected error (type=Forbidden, status=403).
Access Denied

I also tried to add a permitAll() rule into my Spring Security configuration class, this one:

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
    
    @Autowired
    @Qualifier("customUserDetailsService")
    private UserDetailsService userDetailsService;
    
    @Autowired
    private JwtConfig jwtConfig;

    @Autowired
    private JwtTokenUtil jwtTokenUtil;
    
    //private static final String[] USER_MATCHER = { "/api/utenti/cerca/**"};
    //private static final String[] ADMIN_MATCHER = { "/api/utenti/inserisci/**", "/api/utenti/elimina/**" };
    
    private static final String[] USER_MATCHER = { "/api/users/email/**"};
    private static final String[] ADMIN_MATCHER = { 
                                                        "/api/users/email/**",
                                                        "/api/admin/**"
                                                   };

    private static final String[] COMMON_MATCHER = {
            "/api/admin/user/{id}/wallet"
    };
    
    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception 
    {
        auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder());
    }
    

    @Bean
    @Override
    public AuthenticationManager authenticationManagerBean() throws Exception 
    {
        return super.authenticationManagerBean();
    }   
    
    @Override
    protected void configure(HttpSecurity http) throws Exception {

        /*
         * NOTE:
         * Using hasRole expects the authority names to start with 'ROLE_' prefix
         * Instead, we use hasAuthority as we can use the names as it is
         */
        http.csrf().disable()
                   .authorizeRequests()
                   .antMatchers(USER_MATCHER).hasAnyAuthority("CLIENT")
                    .antMatchers(COMMON_MATCHER).hasAnyAuthority("ADMIN","CLIENT")
                   .antMatchers(ADMIN_MATCHER).hasAnyAuthority("ADMIN")
                   .antMatchers("/api/users/test").authenticated()
                   .antMatchers(HttpMethod.GET, "http://localhost:8019/index.html").permitAll()
                   .antMatchers(HttpMethod.POST, jwtConfig.getUri()).permitAll()
                   .anyRequest().denyAll()
                   .and()
                   .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);

        http.addFilterBefore(
            new TokenVerificationFilter(authenticationManager(), jwtConfig, jwtTokenUtil),UsernamePasswordAuthenticationFilter.class);
    }
    
    /* To allow Pre-flight [OPTIONS] request from browser */
    @Override
    public void configure(WebSecurity web) 
    {
        web.ignoring().antMatchers(HttpMethod.OPTIONS, "/**");
        web.ignoring().antMatchers("/swagger-ui/**",
                                    "/webjars/**",
                                    "/v2/**",
                                    "/swagger-resources/**",
                                    "/swagger-ui.html");
    }

    @Bean
    public BCryptPasswordEncoder passwordEncoder()
    {
        return new BCryptPasswordEncoder();
    };


}

So as you can see I added this configuration line:

.antMatchers(HttpMethod.POST, jwtConfig.getUri()).permitAll()

But it is not working and I still not access to this URL and to the page contained into my index.html file.

Disabling Spring Security it works fine so the problem must be in the Spring Security configuration

Answer 1

I see two things in your configuration that could be causing this. First, you're adding a custom filter, if that filter sets a 403 on the response then the rest of the configuration won't apply, so check the doFilter method in TokenVerificationFilter .

The other culprit could be in your matcher, in which you've included not only the path, but also the protocol, host, and port. Limit this matcher to just /index.html and you should be set.

Also, to throw another solution your way... You've already got an ignoring section in your public void configure(WebSecurity web) method, just add /index.html to your list of ignores, that's effectively what you're trying to do anyway:)