0

So I'm new to Spring, and learning in the way as I develop a web application using Spring-Boot. Currently my page consists of two html pages: index.html and login.html. I'm also using Spring-Security.

Here's my current MvcConfig:

import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.config.annotation.ViewControllerRegistry;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurerAdapter;
@Configuration
public class MvcConfig extends WebMvcConfigurerAdapter {
 @Override
 public void addViewControllers(ViewControllerRegistry registry) {
 registry.addViewController("/").setViewName("index");
 registry.addViewController("/login").setViewName("login");
 }
}

The way the website is designed, an user goes to the url http://localhost:8080, then he/she is presented with the initial page, there's a login tab there where he/she can log in, and move to the dashboard view (which I will add later). However, when I load the initial, the page is totally misconfigured (css / js / images resources aren't loaded). After I go to http://localhost:8080/login, perform the login and everything works again.

Therefore, any url of the form http://localhost:8080 is to be allowed (index.html), but anything else would require login. Here's my Spring-Security config:

public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
 @Override
 protected void configure(HttpSecurity http) throws Exception {
 http
 .authorizeRequests()
 .regexMatchers("/", "/index").permitAll()
 .anyRequest().authenticated()
 .and()
 .formLogin()
 .loginPage("/login")
 .permitAll()
 .and()
 .logout()
 .permitAll();
 }
 }

How can I correctly configure my webpage?

*** Notes: * I currently don't have any Controller class.

asked Dec 16, 2015 at 2:55
6
  • add permitAll to css, js, image http .authorizeRequests() .regexMatchers("/", "/index", "/**/*.js", ""/**/*.css"").permitAll() because anyRequest().authenticated() make your request to html resource authorized. or more easy, make style for login page Commented Dec 16, 2015 at 3:19
  • @ThangHoang could you better formulate your answer? Commented Dec 16, 2015 at 3:20
  • add permitAll to css, js, image http .authorizeRequests() .regexMatchers("/", "/index", "/**/*.js", ""/**/*.css"").permitAll() because anyRequest().authenticated() make your request to html resource authorized. or more easy, make style for login page. no depend on static resource. Commented Dec 16, 2015 at 3:25
  • @ThangHoang Could you add that in an answer? Commented Dec 16, 2015 at 3:25
  • @philippe avoid using regexMatchers unless your application really is dependant on ultra complex dynamic url patterns. It is a lot more work to manage it then. Use antMatcher which is a lot simpler since it uses basic url inputs (/login, /admin, dashboard etc.) and it won't inteferre with any resource files you try and use. happy to provide answer if you go down this path. Commented Dec 16, 2015 at 3:34

2 Answers 2

1

problem with regex matchers that i found is any resource loaded from your server you will need to account for in the mapping.

public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
 @Override
 protected void configure(HttpSecurity http) throws Exception {
 http
 .authorizeRequests()
 .antMatchers("/login", "/admin").hasRole('ADMIN') // e.g. for pages that need to be authenticated
 .anyRequest().permitAll() // all the others will be accessable by all
 .and()
 .formLogin()
 .loginPage("/login")
 .permitAll()
 .and()
 .logout()
 .permitAll();
 }
}

The most simplest way to do matching is following steps:

  1. Declare your resource files by overriding addResourceHandlers
  2. Use antmatchers to handle url security (simpler and easier), unless you have extremely dynamic urls with critical parameter
cybertextron
11k32 gold badges117 silver badges220 bronze badges
answered Dec 16, 2015 at 3:40
Sign up to request clarification or add additional context in comments.

4 Comments

For some reason its not applying the code format for me, if anyone can edit and fix it please do
Aeseir, how to add an 'ADMIN' role?
What do you mean? How did you allocate roles to your users that will be authenticated?
I hope it also helped you understand security a bit more
1

sorry guy, I will try to make it clear

anyRequest().authenticated() make your request to html resource need to authorized. You only permitAll to '/' & '/login'

so, add permitAll to css, js, image too http .authorizeRequests() .regexMatchers("/", "/index").permitAll() .antMatchers("/**/*.js", "/**/*.css").permitAll()

or more easy, make a style for login page. no depend on other static resource.

answered Dec 16, 2015 at 3:33

1 Comment

I tried that ... first the ** doesn't work. So the results were the same as before.

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.