I want to map local folder to localhost:8080 How can I achieve this.
I am using spring boot. have given permitall to public/pic folder.
how to open in browser like below.
http://localhost:8080/public/pic/default.jpg
above link gives 401 and asks for username and password.
using below code for security in spring
#Override
protected void configure (HttpSecurity http) throws Exception {
http.csrf().disable();
http.cors().disable();
http.authorizeRequests()
.antMatchers("/public/pic/**").permitAll()
.anyRequest().authenticated()
.and()
.httpBasic()
.and()
.logout();
// #formatter:on
}
where should be the folder /public/pic in local system?
Try to add to your config
#Override
public void configure(WebSecurity webSecurity) {
webSecurity.ignoring().antMatchers("/public/pic/**");
}
Related
I am trying to deploy a war with spring boot and angular as single unit.
This works fine on first go but when I refresh page it shows 403 error.
Steps I used to create war:
angular build - ng build --prod --base-href=/ui/ --deploy-url=/ui/
I take out the content of dist and paste it in static folder of my spring boot application/
Spring security config has code:
#Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/ui/**");
//super.configure(web);
}
#Override
protected void configure(HttpSecurity http) throws Exception {
http.cors().and().csrf().disable()
.authorizeRequests()
.antMatchers("/","/api/hello/**","/api/login").permitAll()
.anyRequest()
.authenticated()
.and().sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS);
http.addFilterBefore(filter, UsernamePasswordAuthenticationFilter.class);
}
final step is to create an endpoint that will load index.html
#GetMapping("/")
public String loadUI() {
return "forward:/ui/index.html";
}
Please help me how to fix this.
I'm trying to add spring security to a custom Java project, by manually adding all dependencies etc. So far I've been successful, but I (think I) have a problem with my WebSecurityConfigurerAdapter:
#Override
protected void configure(HttpSecurity http) throws Exception{
http.authorizeRequests()
.antMatchers("/index.html").hasAnyRole("USER", "ADMIN")
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.NEVER)
.and()
.formLogin()
.loginPage("/sign-in")
.permitAll();
}
When restricting index.html as above, the user is immediately required to login when entering the application base-URL (e.g localhost:8080/myapp/). However if I change the antMatcher to:
...
http.authorizeRequests()
.antMatchers("/test**").hasAnyRole("USER", "ADMIN")
.and()
...
I can hit the application base-URL without having to login. It's worth mentioning that index.html and test.html are completely identical (they only contain an h1-tag), and are both located in the root of the generated .war-file:
enter image description here
How do I configure the application so that the user doesn't have to login when entering the base-url, but only when requesting the index.html (e.g. localhost:8080/myapp/index.html)?
Thanks in advance
Edit: My app has an endpoint at localhost:8080/myapp/ looking like this:
#GetMapping("/")
public String home() {
return ("<h1>Welcome</h1>");
}
The idea is that the user should be able to reach this without having to authenticate.
You can try this...
'''
http.authorizeRequests()
.antMatchers("/test**").permitAll().antMatchers("/index.html").hasAnyRole("USER", "ADMIN")
.and()
'''
if test.html is your base file.
I am writing a Java Spring Boot application that incorporates the Spring Boot Security in my pom.xml. However, It works when I redirect from login to my /home. Though when I change the page again or do a simple ajax call, I get passed a 403 error. I believe it has to do with the security and that page not having the proper access. I am looking for the best way to solve this with still keep my security intake.
Java Security:
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest().fullyAuthenticated()
.and()
.formLogin()
.successHandler(new CustomAuthenticationSuccessHandler()) // On authentication success custom handler
.and()
.logout().logoutRequestMatcher(new AntPathRequestMatcher("/logout")).logoutSuccessUrl("/login");
}
Java Success Handler:
#Override
public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response,
Authentication authentication) throws IOException, ServletException {
String principal = authentication.getName();
System.out.println("Successful login: principal " + principal);
ADID = principal;
response.sendRedirect("/dashboard");
}
Error in Controller:
Error 403 : http://localhost:8080/edit/ajax/doesSomething
So the /dashboard is the first page I get to if the login is successful, then after that the client inputs some fields and is moved to another page that calls a different URL path. It fails I assume when it calls the other paths that are not /dashboard
Your problem is CSRF token. You can disable it in the security configure but it is better you use it. See this site for more information.
Try this ...
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest().permitAll()
.and()
.formLogin()
.successHandler(new CustomAuthenticationSuccessHandler())
.and()
.logout().logoutRequestMatcher(new
AntPathRequestMatcher("/logout")).logoutSuccessUrl("/login");
}
or disable CSRF as quick fix.
http.csrf().disable();
Add this in java security. This will permit requests to any endpoint or specified ones:
`
#Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/**").antMatchers("/example/endpoint");
}
`
And you can also keep your
protected void configure(HttpSecurity http) throws Exception
My aim is to add security class to my Java project except paths like "api/public/*".
When I request in POSTMAN
http://localhost:8080/api/public/signup
with a json body, I get 401. Here's my security class which permits all matchers of api/public/*:
What am I missing?
#Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity
// we don't need CSRF because our token is invulnerable
.cors()
.and()
.csrf().disable()
.exceptionHandling().authenticationEntryPoint(unauthorizedHandler)
// don't create session
.and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.antMatchers("/api/public/**").permitAll()
.anyRequest().authenticated();
// Custom JWT based security filter
JwtAuthorizationTokenFilter authenticationTokenFilter = new JwtAuthorizationTokenFilter(userDetailsService(), jwtTokenUtil);
httpSecurity
.addFilterBefore(authenticationTokenFilter, UsernamePasswordAuthenticationFilter.class);
// disable page caching
httpSecurity
.headers()
.frameOptions().sameOrigin() // required to set for H2 else H2 Console will be blank.
.cacheControl();
}
#Override
public void configure(WebSecurity web) throws Exception {
// AuthenticationTokenFilter will ignore the below paths
web
.ignoring()
.antMatchers("/api/public/*");
}
Mvn clean solved my problem. It seems build somehow stuck in a previous state.
mvn clean
I have a problem with my Spring Boot application in security configuration. I want to apply basic authentication in a URL. My app's default URL is app/v1/items
and my ap'sp secure URL is app/v1/secure/items.
With given configuration basic authentication is not working and I can get items from both URLs. I can not configure the antMatchers.
How can it handle it?
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/**").permitAll()
.antMatchers("/secure").access("hasRole('USER')")
.anyRequest().authenticated();
http
.httpBasic();
http
.csrf().disable();
}
try this code please.
#Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/app/v1/items/**").permitAll()
.antMatchers("/app/v1/secure/items/**").hasAuthority("USER")
.anyRequest().authenticated();
http.httpBasic();
http.csrf().disable();
}