how to create exceptions to JWT filter based on URLs

Question

I am working on JWT authentication.I want to bypass ( not allow to pass through jwt filter), the provided URLs. Below is the code snippet.

@Override
protected void configure(HttpSecurity http) throws Exception {

    http.cors().and().csrf().disable().authorizeRequests().antMatchers(bypassURLs)
                    .permitAll().anyRequest().authenticated().and().addFilter(new JWTAuthenticationFilter(authenticationManager(), jwtConfigProperties))
                    .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);}

In the above code, I want the system Not to filter for bypassURLs. If I am passing "/sayHello", then JWTAuthenticationFilter should not be applied to this while the URLs other than "/sayHello" must pass through the JWTAuthenticationFilter.

I have tried http.csrf().ignoringAntMatchers("/sayHello"); and some some regex but not succeded. Please help.

use `.authorizeRequests().antMatchers("/sayHello").permitAll() `. — Amol Raje, Dec 06 '17 at 11:08
What I need is all the requests except "/sayHello" must be filtered. — Ravi, Dec 06 '17 at 12:09

score 4 · Accepted Answer · answered Dec 06 '17 at 11:12

4

When using permitAll it means every authenticated user, however you disabled anonymous access so that won't work.

What you want is to ignore certain URLs for this override the configure method that takes WebSecurity object and ignore the pattern.

@Override
public void configure(WebSecurity web) throws Exception {
    web.ignoring().antMatchers("/api/v1/signup");
}

And remove that line from the HttpSecurity part. This will tell Spring Security to ignore this URL and don't apply any filters to them.

answered Dec 06 '17 at 11:12

Amol Raje

928
3
9
16

This will not filter the specified url but how would I allow others to pass through filter. The URLs other than "/sayHello" – Ravi Dec 06 '17 at 12:01
don't do anything ...filter will automatically apply on another URLs except `web.ignoring().antMatchers("/api/v1/signup")` – Amol Raje Dec 06 '17 at 12:09
you just override the method `protected void configure(HttpSecurity httpSecurity)` and add the filter ...that you have already added – Amol Raje Dec 06 '17 at 12:12
just check other URLs is passing through filter or not ..let me know it's working or not.. – Amol Raje Dec 06 '17 at 12:15

how to create exceptions to JWT filter based on URLs

1 Answers1