0

I'm working on spring reload with spring dev tools in remote app. I got a bug with HttpSecurity configuraiton.

As explain on Here, I put this in config http security :

http.requestMatchers("/.~~spring-boot!~/restart").anyRequest().anonymous()
            .and().csrf().disable();

First requestMatchers doesn't exists in 2.2.4.RELEASE version so I replaced it by antMatcher. But the application has to authenticate others urls. I tried multi differents configurations but never worked.

First

http.csrf().disable().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
        .antMatcher("/.~~spring-boot!~/restart").anonymous().and().
        authorizeRequests(aR -> aR
                .antMatchers("/.~~spring-boot!~/restart").anonymous()
                .anyRequest().authenticated()
                )
        .logout().disable()
        .addFilterBefore(new AuthTokenFilter(userRepository, env), UsernamePasswordAuthenticationFilter.class);

Second

http.csrf().disable().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
        .and()
        .antMatcher("/.~~spring-boot!~/**").authorizeRequests().anyRequest().anonymous()
        .and()
        .authorizeRequests().anyRequest().authenticated()
        .and()
        .logout().disable()
        .addFilterBefore(new AuthTokenFilter(userRepository, env), UsernamePasswordAuthenticationFilter.class);

Third

http.csrf().disable().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
                .antMatcher("/.~~spring-boot!~/restart").anonymous().and().authorizeRequests().anyRequest().authenticated().and().logout().disable()
                .addFilterBefore(new AuthTokenFilter(userRepository, env), UsernamePasswordAuthenticationFilter.class);

could you help me? Some conf's result are the exception :

Exception in thread "File Watcher" java.lang.IllegalStateException: Unexpected 401 UNAUTHORIZED response uploading class files. Some are : Can't configure anyRequest after itself.

I'm quite lost cuase thinking that antMatcher will work. Any ideas?

Kiran Mistry
  • 2,614
  • 3
  • 12
  • 28
Robin Lamberte
  • 21
  • 5
  • `requestMatcher` still exists. Also this isn't a spring boot thing but a spring security thing. – M. Deinum Feb 27 '20 at 12:52
  • You right sorry was talking about requestMatcher(String) is not anymore available. I'm using spring security 5.2.1. I don't understand how HttpSecurity works. Thinking that order if I put regexMatcher first (String) in order to use string before put anyRequets could work but doesn't – Robin Lamberte Feb 27 '20 at 13:04

0 Answers0