How to disable spring security for particular url
Solution 1
When using permitAll
it means every authenticated user, however you disabled anonymous access so that won't work.
What you want is to ignore certain URLs for this override the configure
method that takes WebSecurity
object and ignore
the pattern.
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/api/v1/signup");
}
And remove that line from the HttpSecurity
part. This will tell Spring Security to ignore this URL and don't apply any filters to them.
Solution 2
I have a better way:
http
.authorizeRequests()
.antMatchers("/api/v1/signup/**").permitAll()
.anyRequest().authenticated()
Solution 3
<http pattern="/resources/**" security="none"/>
Or with Java configuration:
web.ignoring().antMatchers("/resources/**");
Instead of the old:
<intercept-url pattern="/resources/**" filters="none"/>
for exp . disable security for a login page :
<intercept-url pattern="/login*" filters="none" />
Solution 4
This may be not the full answer to your question, however if you are looking for way to disable csrf protection you can do:
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/web/admin/**").hasAnyRole(ADMIN.toString(), GUEST.toString())
.anyRequest().permitAll()
.and()
.formLogin().loginPage("/web/login").permitAll()
.and()
.csrf().ignoringAntMatchers("/contact-email")
.and()
.logout().logoutUrl("/web/logout").logoutSuccessUrl("/web/").permitAll();
}
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("admin").password("admin").roles(ADMIN.toString())
.and()
.withUser("guest").password("guest").roles(GUEST.toString());
}
}
I have included full configuration but the key line is:
.csrf().ignoringAntMatchers("/contact-email")
Solution 5
As @M.Deinum already wrote the answer.
I tried with api /api/v1/signup
. it will bypass the filter/custom filter but an additional request invoked by the browser for /favicon.ico
, so, I add this also in web.ignoring() and it works for me.
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/api/v1/signup", "/favicon.ico");
}
Maybe this is not required for the above question.
Related videos on Youtube
Prabjot Singh
Full stack developer. I have created Fastub, a rest API mocking tool.
Updated on July 20, 2020Comments
-
Prabjot Singh almost 4 years
I am using stateless spring security,but in case of signup i want to disable spring security.I disabled using
antMatchers("/api/v1/signup").permitAll().
but it is not working,i am getting error below:
message=An Authentication object was not found in the SecurityContext, type=org.springframework.security.authentication.AuthenticationCredentialsNotFoundException
I think this means spring security filters are working
My url's order always will be "/api/v1"
My spring config is
@Override protected void configure(HttpSecurity http) throws Exception { http. csrf().disable(). sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS). and(). authorizeRequests(). antMatchers("/api/v1/signup").permitAll(). anyRequest().authenticated(). and(). anonymous().disable(); http.addFilterBefore(new AuthenticationFilter(authenticationManager()), BasicAuthenticationFilter.class); }
My authentication filter is
@Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { HttpServletRequest httpRequest = asHttp(request); HttpServletResponse httpResponse = asHttp(response); String username = httpRequest.getHeader("X-Auth-Username"); String password = httpRequest.getHeader("X-Auth-Password"); String token = httpRequest.getHeader("X-Auth-Token"); String resourcePath = new UrlPathHelper().getPathWithinApplication(httpRequest); try { if (postToAuthenticate(httpRequest, resourcePath)) { processUsernamePasswordAuthentication(httpResponse, username, password); return; } if(token != null){ processTokenAuthentication(token); } chain.doFilter(request, response); } catch (InternalAuthenticationServiceException internalAuthenticationServiceException) { SecurityContextHolder.clearContext(); logger.error("Internal authentication service exception", internalAuthenticationServiceException); httpResponse.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR); } catch (AuthenticationException authenticationException) { SecurityContextHolder.clearContext(); httpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED, authenticationException.getMessage()); } finally { } } private HttpServletRequest asHttp(ServletRequest request) { return (HttpServletRequest) request; } private HttpServletResponse asHttp(ServletResponse response) { return (HttpServletResponse) response; } private boolean postToAuthenticate(HttpServletRequest httpRequest, String resourcePath) { return Constant.AUTHENTICATE_URL.equalsIgnoreCase(resourcePath) && httpRequest.getMethod().equals("POST"); } private void processUsernamePasswordAuthentication(HttpServletResponse httpResponse,String username, String password) throws IOException { Authentication resultOfAuthentication = tryToAuthenticateWithUsernameAndPassword(username, password); SecurityContextHolder.getContext().setAuthentication(resultOfAuthentication); httpResponse.setStatus(HttpServletResponse.SC_OK); httpResponse.addHeader("Content-Type", "application/json"); httpResponse.addHeader("X-Auth-Token", resultOfAuthentication.getDetails().toString()); } private Authentication tryToAuthenticateWithUsernameAndPassword(String username,String password) { UsernamePasswordAuthenticationToken requestAuthentication = new UsernamePasswordAuthenticationToken(username, password); return tryToAuthenticate(requestAuthentication); } private void processTokenAuthentication(String token) { Authentication resultOfAuthentication = tryToAuthenticateWithToken(token); SecurityContextHolder.getContext().setAuthentication(resultOfAuthentication); } private Authentication tryToAuthenticateWithToken(String token) { PreAuthenticatedAuthenticationToken requestAuthentication = new PreAuthenticatedAuthenticationToken(token, null); return tryToAuthenticate(requestAuthentication); } private Authentication tryToAuthenticate(Authentication requestAuthentication) { Authentication responseAuthentication = authenticationManager.authenticate(requestAuthentication); if (responseAuthentication == null || !responseAuthentication.isAuthenticated()) { throw new InternalAuthenticationServiceException("Unable to authenticate Domain User for provided credentials"); } logger.debug("User successfully authenticated"); return responseAuthentication; }
My controller is
@RestController public class UserController { @Autowired UserService userService; /** * to pass user info to service */ @RequestMapping(value = "api/v1/signup",method = RequestMethod.POST) public String saveUser(@RequestBody User user) { userService.saveUser(user); return "User registerted successfully"; } }
I am totally new to spring,please help me how to do it ?
-
Krzysztof Cichocki almost 9 yearsTake a look at: stackoverflow.com/questions/4487249/…
-
-
Jacob Zimmerman about 8 yearswhat file does this get written in?
-
onkami over 7 years@JacobZimmerman spring.io/blog/2013/07/03/… the configurer for web security class
-
Viacheslav Shalamov over 4 yearsWhere is this snippet supposed to be called?
-
jAC about 4 years@ViacheslavShalamov In your
WebSecurityConfig extends WebSecurityConfigurerAdapter
'sconfigure(HttpSecurity http)
method. See baeldung.com/java-config-spring-security -
muasif80 almost 4 yearsJust would like to add you have to extend
WebSecurityConfigurerAdapter
andoverride
thismethod
in it. -
Chao over 3 yearsthis is most common in the internet, actually it is wrong practice. if you permit all, you mean it still need to authenticate but you finally permit it. so why should we do authentication (I mean authentication filters will be still triggered) for a sign up access?
-
gene b. about 3 yearsThis didn't work for me. Even after adding
web.ignoring.antMatchers(..)
as described I'm getting this error:org.springframework.security.authentication.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext
-
M. Deinum about 3 yearsThen you haven't configured things right else it would work.
-
J.Dario almost 3 yearsI added this but POSTing to the API via Postman still returns
Cannot POST /api/datapoints
everytime.. I also tried the other answeres without success. Are there any other settings you can/have to do in addition to this? -
Leponzo about 2 years@Chao, what do you recommend?