Technology : Spring Boot with themeleaf
I'm trying to access the css file placed under src/main/resources/assets/vendor/bootstrap/css/bootstrap.css on my HTML using the following code:
But it is not loading.
Folder Structure :
Resources
--->assets
------>vendor
--------->bootstrap
------------>css
--------------->bootstrap.css
--->code
Can any one help me in this?
Here is my spring security config,
http.
csrf().disable()
.authorizeRequests()
.antMatchers("/home/**", "/**", "/css/**", "/js/**", "/fonts/**", "/images/**", "/public/rest/**","/login*","/signin/**","/signup/**").permitAll()
.antMatchers("/property/**").authenticated()
.antMatchers("/welcome/**").authenticated()
.and()
.formLogin().loginPage("/login").permitAll()
.and().httpBasic().disable();
Simply you need this line,
.antMatchers("/home/**", "/**", "/css/**", "/js/**", "/fonts/**", "/images/**", "/public/rest/**","/login*","/signin/**","/signup/**").permitAll()
But, I would suggest to disable security first and check if everything is working. If that works, then reenable security and try to configure it like shown.
From my working project. The resources is under resources/static/js/script.js. And I am accessing it from html like js/script.js. No issue. Probably you are missing static folder. And if you are using spring security, you need to make the resources available.
Related
I have an OAuth 2.0 authorization server created using Spring Boot and the legacy #EnableAuthorizationServer. An extract of the security configuration can be found below:
http
.requestMatchers()
.mvcMatchers("/login", "/profile", "/oauth/authorize", "/.well-known/jwks.json")
.and()
.authorizeRequests()
.mvcMatchers("/login", "/.well-known/jwks.json").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.permitAll()
Everything is working fine and now I'm creating Thymeleaf templates for error messages. Errors like 404 are shown with my custom page, using a file 404.html under resources/templates/error. There is a generic resources/templates/error.html for any unhandled exception.
For some reason, the template 401.html is not being rendered. Instead, Spring keeps returning the default response with the code 401 and the content below:
<oauth>
<error_description>Full authentication is required to access this resource</error_description>
<error>unauthorized</error>
</oauth>
Do you know if this can be changed and how? Just to be clear, I don't want to remove the error but to return a custom content.
Thank you for your time!
You should tell Spring Security that you don't want authentication on your error page with something like this :
http.authorizeRequests().mvcMatchers("/your/error/page/url").permitAll();
How can an Authorization header be accessed on anonymous urls?
My security configuration looks like:
http
.authorizeRequests()
.antMatchers("/login", "/legacy-login").anonymous()
.antMatchers("/things/*").authenticated()
.anyRequest().permitAll()
.and()
.httpBasic()
Authentication in general works fine. However, on /legacy-login I need to do some migration and need to access the authorization header without spring boot managing the authorization. Although /legacy-login is marked anonymous as soon as there are requests, spring intercepts the request and tries to authorize itself (what then results into 401).
How can I make Spring let the auth header through on that single url?
I foudn one solution myself. Instead of fiddleing around with .anonymous() and .permitAll() I added /legacy-login as ignore rule:
override fun configure(web: WebSecurity) {
super.configure(web)
web.ignoring()
.antMatchers("/legacy-login")
}
I am creating a app using angular for frontend and spring boot for backend.
I am using spring-boot-security for the security purpose.
Spring boot serves static content from src/main/resources/static folder.
I am placing all the contents of angular dist folder here, i.e. all js,css,html produced by ng build.
But upon running the app, I keep on getting a 401 unauthorized error.
Here is my configure() method:
#Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
.cors()
.and()
.exceptionHandling().authenticationEntryPoint(new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED))
.and()
.authorizeRequests()
.requestMatchers(PathRequest.toStaticResources().atCommonLocations()).permitAll()
.antMatchers("/api/v1/login/").permitAll()
.anyRequest().authenticated()
.and()
.addFilter(getJWTAuthenticationFilter(authenticationManager()))
.addFilter(new JWTAuthorizationFilter(authenticationManager()));
}
If I add .antMatchers("/**").permitAll() then the app will load all angular resources correctly but makes the security then useless as all api endpoints are then exposed.
Also I read that \css,\images,\js etc. are allowed by default, but here my I just refer to static folder.I also tried moving all the content to a new endpoint, say /app by implementing addResourceHandlers() method, but then my angular code breaks, since it references all css,jss directly in its href and not behind any folder name.
I am using spring boot 2.1.1 release and most of the answers refer to spring boot v1, and I am unable to find a soln.
I want to configure spring security to allow access to just all resources under static folder. Doing so will allow me to use my angular code without changing all hrefs. How can I achieve this?
I am developing my spring boot app which is protected by spring security. Here is part of secured config:
#Override
public void configure(HttpSecurity http) throws Exception {
// #formatter:off
http
// .csrf().ignoringAntMatchers("/dashboard")
// .and()
.httpBasic()
.and()
.headers().frameOptions().disable()
.and()
.antMatcher("/**").authorizeRequests()
.antMatchers("/VAADIN/**", "/PUSH/**", "/UIDL/**").permitAll()
.antMatchers("/vaadinServlet/UIDL/**").permitAll()
.antMatchers("/vaadinServlet/HEARTBEAT/**").permitAll()
.antMatchers("/actuator/health").permitAll()
.antMatchers("/actuator/**").hasAuthority(Authority.Type.ROLE_ADMIN.getName())
.antMatchers("/", "/login**", "/index.html", "/home.html").permitAll()
.and()
.logout().logoutSuccessUrl("/").permitAll()
.and()
.csrf().csrfTokenRepository(csrfTokenRepository())
.and()
.addFilterAfter(csrfHeaderFilter(), CsrfFilter.class)
.addFilterBefore(ssoFilter(), BasicAuthenticationFilter.class);
// #formatter:on
}
I am going to implement some admin dashboard to manage my app using VAADIN.
I have read that "Disable CSRF-protection in either Spring or Vaadin. If you have both turned on, your application will not work.".
In my case I need to disable CSRF-protection in Vaadin, but I could not find how can I do it using Java config.
For this moment I am getting: https://127.0.0.1:8443/vaadinServlet/UIDL/?v-wsver=7.5.5&v-uiId=0 "Communication error: UIDL could not be read from server. Check servlets mappings. Error code: 403", during navigation from the main view to other views. (e.g: /dashboard#!myview). This because AccessDeniedHandlerImpl handle method is invoked. I have try to fix this using following statements but it doesn't help:
.antMatchers("/vaadinServlet/UIDL/**").permitAll()
.antMatchers("/vaadinServlet/HEARTBEAT/**").permitAll()
So, please help me to solve this two issues:
Disable CSRF in VAADIN using java config.
Solve problem with view navigation.
Thanks
To fix the above issues, I have decided to divide my project into two modules. First is API app, which has own implemented security configuration. Second is Dashboard, which has both Spring Security integrated with Vaadin4Spring based on this sample.
I have a very simple spring boot application, which is secured by the following code:
http.authorizeRequests()
.antMatchers("/admin/**").access("hasRole('ROLE_ADMIN')")
.and()
.formLogin().loginPage("/login").failureUrl("/login?error")
.usernameParameter("username").passwordParameter("password")
.and()
.logout().logoutSuccessUrl("/login?logout")
.and()
.exceptionHandling().accessDeniedPage("/403");
the idea is to secure "admin" portion. It exposes a REST API.
The problem is all the POSTS returns
405 Method Not Allowed
If I remove the security starter from the application, it works. This makes me believe that the security configuration is the problem. But I cannot find out how.
This should be easy.
POSTs and PUT requests would not be allowed if CSRF is enabled,and spring boot enables those by default.
Just add this to your configuration code :
.csrf().disable()
that is :
http.
.csrf().disable().
authorizeRequests()
.antMatchers("/admin/**").access("hasRole('ROLE_ADMIN')")
.and()
.formLogin().loginPage("/login").failureUrl("/login?error")
.usernameParameter("username").passwordParameter("password")
.and()
.logout().logoutSuccessUrl("/login?logout")
.and()
.exceptionHandling().accessDeniedPage("/403");
Refer docs ,if you need to enable CSRF :
http://docs.spring.io/spring-security/site/docs/4.0.x/reference/htmlsingle/#csrf-configure
This can also happen if using Spring Security SAML extension and your SAMLUserDetailsService returns a UsernameNotFoundException. Seems pretty counter-intuitive, but that's what it does by default (in my experience).