2

I thought this is easy in xml configuration, but when I am now using java code configuration, I was lost, so can anyone tell me how I can config spring security to allow non-security check for static resource directory?

@Override
protected void configure(HttpSecurity http) throws Exception {

    http
    .csrf().disable()

    .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
    .and()
    .authorizeRequests().antMatchers(actuatorEndpoints()).hasRole(backendAdminRole)
    .and()
    .authorizeRequests().antMatchers(apiEndpoints()).hasRole(frontendUserRole)
    ***//what code can I add here to make static directory/recourse not checked by spring security?***
    .anyRequest().authenticated()
    .and().anonymous().disable()
    .exceptionHandling().authenticationEntryPoint(unauthorizedEntryPoint());
    ;
}

Thank you very much for your kind hlep first

JasonMArcher
  • 14,195
  • 22
  • 56
  • 52
user3006967
  • 3,291
  • 10
  • 47
  • 72
  • Don't you mean anything like this http://stackoverflow.com/questions/28455507/how-do-i-define-http-security-none-in-javaconfig/28456037#28456037 ? – Artem Bilan Feb 23 '15 at 20:09
  • Excellent, but just don't know why that is only for WebSecurity, not in HttpSecurity, so if I want to ignore anything, I have to override WebSecurity signature and put over there, also this means we have to have two configure functions for ignoring and authenticate purposes? – user3006967 Feb 23 '15 at 20:41

1 Answers1

0

I guess you mean something like this How do I define http "security = 'none' in JavaConfig?.

Excellent, but just don't know why that is only for WebSecurity, not in HttpSecurity, so if I want to ignore anything, I have to override WebSecurity signature and put over there, also this means we have to have two configure functions for ignoring and authenticate purposes?

Not really. There is one more configure(AuthenticationManagerBuilder auth) on the WebSecurityConfigurerAdapter, so, I don't see any issues to distribute those responsibilities between different domain objects. From other side ignore is more common security function, but http is restricted to the HTTP.

From other side your code should be more clear, when you don't pay attention to those ignored from the http config.

Community
  • 1
  • 1
Artem Bilan
  • 113,505
  • 11
  • 91
  • 118
  • Can you specify how to use configure(AuthenticationManagerBuilder auth) to config ignore? Do you mean we can move ignore to authenticationManagerBuilder? – user3006967 Feb 23 '15 at 20:58
  • No, I mean that it isn't an issue that `WebSecurityConfigurerAdapter` has several methods, which we can override for our purposes. Please, read their JavaDocs do be sure what and when to do. – Artem Bilan Feb 23 '15 at 21:11