Failing to exclude some URLs from Spring Security protection

Question

We have the following spring security configuration:

<bean id="authenticationSuccessHandler" class="***.JsonAuthenticationSuccessHandler"/>

    <bean id="logoutSuccessHandler" class="***.web.security.***UrlLogoutSuccessHandler">
        <property name="redirectStrategy" ref="noRedirectStrategy"/>
    </bean>

    <bean id="authenticationFailureHandler"
          class="***.web.security.***UrlAuthenticationFailureHandler"/>

    <bean id="httpStatusEntryPoint" class="org.springframework.security.web.authentication.HttpStatusEntryPoint">
        <constructor-arg value="UNAUTHORIZED"/>
    </bean>

    <security:http auto-config="true" use-expressions="false" entry-point-ref="httpStatusEntryPoint">
        <security:custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrentSessionFilter"/>

        <security:form-login
                authentication-success-handler-ref="authenticationSuccessHandler"
                authentication-failure-handler-ref="authenticationFailureHandler"
                />

        <security:intercept-url pattern="/api/**"/>
        <security:anonymous enabled="false"/>
        <security:logout logout-url="/logout" delete-cookies="JSESSIONID,sessionId"
                         success-handler-ref="logoutSuccessHandler"
                />
        <security:csrf disabled="true"/>

        <security:session-management session-authentication-strategy-ref="sessionAuthenticationStrategy"/>
    </security:http>

    <bean id="concurrentSessionFilter" class="***.***ConcurrentSessionFilter">
        <constructor-arg ref="***SessionRegistry"/>
        <constructor-arg ref="errorController"/>
    </bean>

    <bean id="sessionAuthenticationStrategy" class="org.springframework.security.web.authentication.session.CompositeSessionAuthenticationStrategy">
        <constructor-arg>
            <list>
                <ref bean="registerSessionAuthenticationStrategy"/>
                <ref bean="concurrentSessionControlAuthenticationStrategy"/>
            </list>
        </constructor-arg>
    </bean>

    <bean id="registerSessionAuthenticationStrategy" class="org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy">
        <constructor-arg name="sessionRegistry" ref="***SessionRegistry" />
    </bean>

    <bean id="concurrentSessionControlAuthenticationStrategy" class="***.web.security.***ConcurrentSessionControlAuthenticationStrategy">
        <constructor-arg name="sessionRegistry" ref="***SessionRegistry" />
        <constructor-arg name="logoutService" ref="logoutService"/>
        <property name="maximumSessions" value="1" />
    </bean>

    <!-- enable spring security annotation processing -->
    <security:global-method-security secured-annotations="enabled"/>

    <bean id="***LdapAuthenticationProvider" class="***.web.***LdapAuthProvider">
        <property name="url" value="${ldap.url}"/>
        <property name="filter" value="${ldap.filter}"/>
        <property name="domain" value="${ldap.domain}"/>
        <property name="dn" value="${ldap.dn}"/>
        <property name="ldapEnabled" value="${ldap.enable}"/>
    </bean>

    <security:authentication-manager>
        <security:authentication-provider ref="***LdapAuthenticationProvider"/>
        <security:authentication-provider user-service-ref="***UserDetailsService"/>
    </security:authentication-manager>

    <bean id="usersResource" class="org.springframework.core.io.ClassPathResource">
        <constructor-arg value="/users.properties" />
    </bean>

    <util:property-path id="usersResourceFile" path="usersResource.file" />

    <bean id="***UserDetailsService" class="***.web.security.***InMemoryUserDetailsManager">
        <constructor-arg index="0" ref="usersResourceFile"/>
    </bean>

I tried different ways But I can not find a way to exclude some specific URLs from authentication.

For example:

/api/url/available/without/login

should be available even user is not logged in.

P.S.

I have tried to apply this answer, but it doesn't work for me:

https://stackoverflow.com/a/5382178/2674303

UPD

I have tired

    ....
    <bean id="httpStatusEntryPoint" class="org.springframework.security.web.authentication.HttpStatusEntryPoint">
        <constructor-arg value="UNAUTHORIZED"/>
    </bean>
    <security:http pattern="/api/url/available/without/login" security="none"/>
    <security:http auto-config="true" use-expressions="false" entry-point-ref="httpStatusEntryPoint">
    ....

but when I try to use - this url still locked and I get 401

because this code:

 SecurityContext securityContext = SecurityContextHolder.getContext();
 Authentication authentication = securityContext.getAuthentication();
 if (authentication == null || !authentication.isAuthenticated()) {
       String name = authentication != null ? authentication.getName() : "";
       throw new BadCredentialsException("Could not find user " + name);
  }

throws exception

The linked answer should work, did you put the `` above your `security:http auto-config="true"`? — , Mar 29 '16 at 16:54
@RC. What do you mean about stack trace? I don't see exception — gstackoverflow, Mar 29 '16 at 20:44
@RC. org.springframework.security.authentication.BadCredentialsException — gstackoverflow, Mar 29 '16 at 21:41
**SecurityContext securityContext = SecurityContextHolder.getContext(); Authentication authentication = securityContext.getAuthentication(); if (authentication == null || !authentication.isAuthenticated()) { String name = authentication != null ? authentication.getName() : ""; throw new BadCredentialsException("Could not find user " + name); }** — gstackoverflow, Mar 29 '16 at 21:44

score 1 · Accepted Answer · answered Mar 29 '16 at 18:39

1

You just need to add a "default" http interceptor:

<security:http xmlns="http://www.springframework.org/schema/security">
  <intercept-url pattern="/" access="permitAll()"/>
  <anonymous/>
  <csrf disabled="true"/>
</security:http>

after your current security:http tag. It will handle all requests, which were not handled by the first http construction.

answered Mar 29 '16 at 18:39

Roman Proshin

830
2
9
18

org.springframework.beans.factory.parsing.BeanDefinitionParsingException: Configuration problem: No AuthenticationEntryPoint could be established. Please make sure you have a login mechanism configured through the namespace (such as form-login) or specify a custom AuthenticationEntryPoint with the 'entry-point-ref' attribute |Offending resource: class path resource [context-security.xml] – gstackoverflow Mar 29 '16 at 20:06
Well, try to add into `security` tag – Roman Proshin Mar 29 '16 at 21:14
but what if I want to exclude 5 urls. Should I add 5 new security:http tags ? – gstackoverflow Mar 30 '16 at 08:24
No, the first security:http tag handles requests to `/api/**` only. The second "default" http tag handles all others requests. You will need to add new http tags in case if you want to protect some new URLs (and then you need to place these new https tags before "default"). – Roman Proshin Mar 30 '16 at 08:44
actually works if add **security:http** tag with specific url **BEFORE** **security:http**tag with /api/** – gstackoverflow Mar 30 '16 at 10:38
/api/url/available/without/login mathes as /api/** – gstackoverflow Mar 30 '16 at 10:39
please show code. You say No, but it sounds as Yes according my opinion – gstackoverflow Mar 30 '16 at 10:40

Failing to exclude some URLs from Spring Security protection

P.S.

UPD

1 Answers1