0

I am using Spring Security in my application and I have a REST API exposed. The API authenticates the user who is trying to access the API and also I am using Spring's ACL implementation(placed as annotations PreAuthorize, PostAuthorize etc).

The problem is that there are some resources that can be accessed by non-logged in users, and some of that resource's operations can be used by logged in users only. To provide access to non-logged-in users, I have added those urls to the SecurityConfiguration class:

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
@ImportResource("classpath:acl-config.xml")
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
    @Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring()
        .antMatchers("/api/v1/resource1")
        .antMatchers("/api/v1/resource2")
        ....

Now the problem is that whenever anyone accesses resource1 or resource2, the SecurityContextHolder.getContext().getAuthentication() returns null. This is causing problems as I am using Spring's ACL implementation and the implementation's source files use the SecurityContextHolder.getContext().getAuthentication() method and gets null in return. So ACL has stopped working. In my own code, I can get the authentication instance as mentioned here but not in ACL's source files.

I would like to do something in the configuration as a one time thing, so that even if I provide urls in SecurityConfiguration, I can still get SecurityContextHolder.getContext().getAuthentication() instance.

Community
  • 1
  • 1
Syed Waqas
  • 2,576
  • 4
  • 29
  • 36
  • 2
    what do you think ignoring is doing? Adding urls there will completely ignore Spring Security for those URLs. If you want to permit access to everyone and be able to use the `SecurityContextHolder` add them to your secured URLs and add `permitAll` to allow access for everyone, don't ignore them. – M. Deinum Aug 19 '15 at 09:29
  • Ok Denium. I tried to make the urls secure by adding `httpSecurity.authorizeRequests().antMatchers("/api/v1/resource1").permitAll()` to WebSecurityConfigurerAdapter.configure method but its not helping. I have also searched a lot for other options but no success so far. Where should I add this url and gain the expected behavior? The application is using OAuth2 as well which is configured separately. – Syed Waqas Aug 20 '15 at 18:02
  • Do you have them removed from the web security ignore? Make sure that the order of the authorizations is correct and that not another security rule kicks in before hand, the order of the ant matchers is also the order in which they are consulted!. – M. Deinum Aug 20 '15 at 18:04

0 Answers0