5

This question might seems like duplicate but none of the below answers explained when to use:

`http
   .authorizeRequests()
   .antMatchers("/h2-console/**", "/user/register/**").permitAll()`

and

`web
   .ignoring()
   .antMatchers("/h2-console/**", "/user/register/**")`
  1. HttpSecurity, WebSecurity and AuthenticationManagerBuilder
  2. Difference between Web ignoring and Http permitting in Spring Security?

Going through StackOverflow asnwers and several articles I got to learn that:

configure(HttpSecurity) allows configuration of web based security at a resource level.

configure(WebSecurity) is used for configuration settings that impact global security. Using this a URL is completely ignored from Spring Security Filter Chain.

When i am using permitAll() it only works if i have disabled csrf: http.csrf().disable() because Spring Security filter chain is still active.

But with web.ignoring() URL are ignored completely.

Still a lot of articles uses http.permitAll() for /login or /register like like this one and this

So I want to understand,

Why should we even use http.permitAll() at all for Un-Auth URLS like /login and /register?

Why can't we use web.ignoring() for /login and /register?

Why web.ignoring() is commonly used for serving static content like css and webjars etc only but not with /login and /register?

Mohd Waseem
  • 1,244
  • 2
  • 15
  • 36
  • 3
    When you `permitAll` you basically say regardless of anything I want everyone to be able to access this URL, however all the other security features (secure headers, csrf protection etc) are still applied. With `ignoring` all those features are also ignored and open your application for possible vulnerabilities. – M. Deinum Jul 01 '20 at 13:05
  • thanks for the response. I want to understand the vulnerabilities. I mean if i want a `URL` to be unauthenticated then what security vulnerabilities can still be there? This will help me to understand and decide which `URLS` should be `web.ignored()` and which should be `http.permitAll()` in future scenarios. – Mohd Waseem Jul 01 '20 at 13:10
  • 2
    Cross Site Scripting, XSS attacks, content-sniffing to name a few. Spring Security has features to protect against those (and to enable them in the browser by sending additional headers). Spring Security does more then "just" authentication and authorization. Ignoring them also means there is no security context being set etc. – M. Deinum Jul 01 '20 at 13:11

1 Answers1

3

As @M. Deinum pointed out, I am concluding the answer and I have updated the documentation for the same in PR.

configure(WebSecurity web)

Endpoint used in this method ignores the spring security filters, headers, CSRF etc. see HeadersConfigurer, CsrfConfigurer. Instead, if you want to protect public endpoints against common vulnerabilities, then see configure(HttpSecurity) and HttpSecurity#authorizeRequests configuration method.

configure(HttpSecurity http)

Public endpoints that require defense against common vulnerabilities can be specified here. see HttpSecurity#authorizeRequests and the permitAll() authorization rule for more details.

Romil Patel
  • 12,879
  • 7
  • 47
  • 76