Disable basic authentication for specific end point, and keep all other secured

Question

Right now I configure web security adapter like -

@EnableWebSecurity
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
    http.cors().and()
            .authorizeRequests()
            .anyRequest()
            .fullyAuthenticated().and()
            .httpBasic().and()
            .csrf()
            .disable();
 }
}

Which working fine and blocking all requests if not authenticated. But now I want to block all but /login. I mean, I want JUST /login and /login/* to be insecure, and rest of the app to be secured.

Anyone knows how can I achieve that?

Configure it like that. Add a security rule which allows full access to those urls. — M. Deinum, Aug 15 '17 at 13:36
@M.Deinum: that is what i am looking for, i mean how the configuration should be. — Jahid Shohel, Aug 15 '17 at 13:48
Something like `authorizeRequests().antMatchers("/login", "/login/*).permitAll()`. All of that is explained in the reference guide. — M. Deinum, Aug 16 '17 at 05:44

score 0 · Answer 1 · answered Aug 15 '17 at 23:09

Try to add the /login url to ignore list in WebSecurityConfigurerAdapter:

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter{

    @Override
    public void configure(WebSecurity webSecurity) throws Exception{
        webSecurity
            .ignoring()
                .antMatchers("/login");
    }
}

Disable basic authentication for specific end point, and keep all other secured

1 Answers1