I work on angularjs application and I try to serve static resource (my front end) with Spring boot.
I used gulp to build project and I get this distribution structure:
here is the content of hash folder
my spring security config look like this:
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.exceptionHandling()
.authenticationEntryPoint(myEntryPoint());
http
.authorizeRequests()
.antMatchers("/__hash__/**").permitAll()
.antMatchers("/views/**").permitAll()
.antMatchers("/index.html").permitAll()
.antMatchers("/api/**").authenticated()
.antMatchers("/**").permitAll();
http // login configuration
.addFilterAfter(springSecurityFilter(), BasicAuthenticationFilter.class);
/*http
.authorizeRequests()
.anyRequest().authenticated();*/
http //logout configuration
.logout()
.logoutSuccessHandler(logoutHandler());
http.csrf().disable();
}
The config spring for serving static content:
#Configuration
public class MyContentConfig extends WebMvcConfigurerAdapter {
#Override
public void addResourceHandlers(ResourceHandlerRegistry registry) {
registry
.addResourceHandler("/**")
.addResourceLocations("file:///" + "c:/front/") ;
}
#Override
public void addViewControllers(ViewControllerRegistry registry) {
registry.addViewController("/").setViewName("forward:/index.html");
}
}
After authentication, I get the index.html page but without css style and without js.
And when I try to access to css using this url "https://localhost:9999/hash/styles.min.css" I get this error:
There was an unexpected error (type=Not Acceptable, status=406).
Could not find acceptable representation
You are loading livereload.js over http. If you are using https, all resource must be load over https.
so load livereload.js over https.
I resolved the problem. it's related to "spring-cloud-config-server". I just delete this config:
org.springframework.cloud
spring-cloud-config-server
Related
I have a spring boot application and I want to enable the HSTS over my domain (say https:example.com).
I wrote the script in WebSecurityConfigurerAdapter. The code snippet is shown below.
#EnableWebSecurity
#Configuration
#Order(1)
public static class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
#Override
protected void configure(HttpSecurity http) throws Exception {
// #formatter:off
http
.authorizeRequests()
.antMatchers(HttpMethod.TRACE, "/**").denyAll()
.antMatchers("/**").permitAll();
http
.antMatcher("/**").httpBasic()
.and().csrf().disable()
.headers().httpStrictTransportSecurity()
.includeSubDomains(true)
.maxAgeInSeconds(31536000);
// #formatter:on
}
}
The deployment of the spring boot application happened in the Azure cloud. After the deployment, I'm not seeing the HSTS header when I hit the base domain.
But I can see the header when hitting the entire URL (say https://example.com/questions/ask).
Any help would be appreciated. Thanks!
I tried all the suggestions from here but i could not make it work
spring boot security static resources
I have to specify that the image i am trying to add is on the log in page.
I am using maven to create a spring boot webapp with security and thymeleaf.
It seems that all my static resources load fine(css/jss)but the images do not.When i check the developer tools in chrome i get a 404 error for that said image in the console.no matter what path i am using i am geting the same error.I have permited access to all the static content here
#Configuration
#EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests().antMatchers(HttpMethod.GET,"/resources/**" ,"/js/**", "/css/**", "/images/**" ,"/fonts/**", "/scss/**", "/index", "/", "/login").permitAll()
.and()
.authorizeRequests()
.requestMatchers(PathRequest.toStaticResources().atCommonLocations()).permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.permitAll()
.defaultSuccessUrl("/home", true)
.and()
.logout()
.logoutSuccessUrl("/")
.logoutUrl("/signout");
}
#Override
public void configure(WebSecurity web) throws Exception {
web
.ignoring()
.antMatchers("/resources/**"); // #3
}}
this is how i access it in thymeleaf
<div class="col-lg-2 ml-auto" data-aos="fade-up" data-aos-delay="100">
<figure class="img-absolute">
<img th:src="#{/images/car.jpeg}" alt="Image" class="img-fluid">
</figure>
</div>
this is my folder structure
src->main->resources->static->images->car.jpeg
and this is the error i get in dev tools
GET http://localhost:8080/images/car.jpeg 404
any help would be greatly appreciated.
Use this approach to get the static images and other resources to load on your html page -
1.) Correct your folder structure for images, It should be -
your_project_name -> src -> main -> resources -> static -> assets -> img --> your images
NOTE - Add your other static files and folders inside assets folder.
2.) And your Security config class -
#Configuration
#EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
// your code
#Override
public void configure(WebSecurity web) throws Exception {
web
.ignoring()
.antMatchers("/assets/**");
}
}
3.) Use correct url on your html page to access the images -
//your code
<img th:src="#{/assets/img/car.jpeg}" alt="Image" class="img-fluid">
I know how to disable swagger for production - i only need to add annotation #Profile("!prod") in configuration class:
#Configuration
#EnableSwagger2
#RequiredArgsConstructor
#Profile("!prod")
public class SwaggerConfig {
result of adding annotation
But the result is, that the swagger-ui.html still is available in browser, only its empty. I wonder is there solution to disable it fully, so the page will not load?
this could be simply done with spring-security by blocking the url for the production environment. Please try :
Add dependency (if you are using spring-boot) to pom.xml :
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
Add configuration file :
#Configuration
#Profile("prod")
public class SecurityConfig extends WebSecurityConfigurerAdapter {
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/**/swagger-ui.html").denyAll();
}
}
It will send 403 forbidden status.
Okey #zpavel its good solution, thank you. I just already had such spring security configuration, and when i added yours, i got error "#Order on WebSecurityConfigurers must be unique.", so i added to one class #Order(1), and to the other one #Order(2). Unfortunately the .antMatchers("/**/swagger-ui.html").denyAll(); denied all request even those who were not swagger calls, i don't know why.
Hovewer i modified Your solution and it worked for me:
#Value("${spring.profiles.active}")
private String activeProfile;
#Override
public void configure(HttpSecurity http) throws Exception {
if(activeProfile.equals("prod")){
http.authorizeRequests()
.antMatchers("/something").permitAll()
.antMatchers("/v2/api-docs", "/configuration/ui", "/swagger-resources/**", "/configuration/**", "/swagger-ui.html", "/webjars/**").denyAll()
.antMatchers("/something").permitAll()
.anyRequest().authenticated();
} else {
http.authorizeRequests()
.antMatchers("/something").permitAll()
.antMatchers("/v2/api-docs", "/configuration/ui", "/swagger-resources/**", "/configuration/**", "/swagger-ui.html", "/webjars/**").permitAll()
.antMatchers("/something").permitAll()
.antMatchers("/something").permitAll()
.anyRequest().authenticated();
}
}
How to allow anonymous access to springdoc-openapi-ui (OpenAPI 3.0 /swagger-ui.html) in a Spring Boot application secured by Spring Security?
To use springdoc-openapi-ui /swagger-ui.html, allow anonymous access to the following endpoints in the WebSecurityConfigurerAdapter using permitAll method:
/v3/api-docs/**
/swagger-ui/**
/swagger-ui.html
Example:
#EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
#Override
public void configure(HttpSecurity http) throws Exception {
http.
.authorizeRequests()
.antMatchers("/v3/api-docs/**", "/swagger-ui/**", "/swagger-ui.html").permitAll()
.anyRequest().authenticated()
.and()
.httpBasic(); //or anything else, e.g. .oauth2ResourceServer().jwt()
}
}
Make sure a project has the following dependencies:
org.springdoc:springdoc-openapi-ui
org.springdoc:springdoc-openapi-security
Additionally to Evgeniy's answer, I'd add the proper configuration to avoid conflicts with document fetching used in Swagger's UI (such js, html, images and other files), also in the SecurityConfig class like this:
#EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
//Other configuration methods
#Override
public void configure(WebSecurity web) {
web.ignoring()
.antMatchers("/v3/api-docs/**", "/swagger-ui/**");
}
}
Without this configuration, even though the UI looks like It's loaded, a 401: Unauthorized may arise on the background calls when loading the above mentioned files.
For obtaining access in spring webflux you have to do the following, tested with spring-doc version 1.5.2:
The swagger webpage was failing on html resources with the path /webjars/swagger-ui.
#Configuration
#EnableWebFluxSecurity
public class SecurityConfig {
#Bean
SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
return http.authorizeExchange()
.pathMatchers("/v3/api-docs/**", "/swagger-ui/**", "/swagger-ui.html", "/webjars/swagger-ui/**")
.permitAll()
.anyExchange()
.authenticated()
.and()
.build();
}
}
I have a quick issue which am not really sure how to sort this out yet.
The issue is that, I'm using Thymeleaf, and was working perfectly fine until I've introduced the Springboot security. Since then, the styling isn't working at all. Looks like the static folder isn't seen for some reason. I've tried several structures to make it work but still no luck. I've tried to include in resource folder static folder, then resource folder (again) with no luck. I've also tried to rename the static into public, still no luck. I've noticed that if you include the URL somewhere on the web it works but if you include the URL somewhere on your local machine doesn't work. So I'm 100% sure there is a problem with the structure of the folders or the Spring configuration.
Any help, would be really much appreciated.
Spring security configuration class:
public class SecurityConfig extends WebSecurityConfigurerAdapter {
#Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity.formLogin()
.loginPage("/login")
.usernameParameter("username")
.passwordParameter("password")
.failureUrl("/login?error")
.defaultSuccessUrl("/default")
.and()
.logout()
.logoutSuccessUrl("/")
.and()
.authorizeRequests()
.antMatchers("/login").permitAll()
.antMatchers("/", "/static/**").permitAll()
.antMatchers("/createUser").hasRole("ADMIN")
.anyRequest().authenticated();
}
}
WebConfig class:
#Configuration
#EnableWebMvc
public class WebAppConfig {
public void addResourceHandlers(ResourceHandlerRegistry registry) {
registry.addResourceHandler("/resources/**").addResourceLocations("/resources/");
}
}