Spring Boot with Spring Security Filter settings and addictive points

Setting Example

When configuring Filter in Java Configuration, it is convenient to inherit ʻorg.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter` and overwrite the two configure methods.

You can add a Filter for authentication with HttpSecurity and set WebSecurity to ignore the Filter.

SecurityConfig.java



@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    private static final String[] STATIC_RESOURCES = {
        "/**/css/**", "/**/js/**", "/**/img/**",
    };

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        //Add Filter to Security Filter Chain
        http.addFilter(this.preAuthenticatedProcessingFilter());
    }

    @Override
    public void configure(WebSecurity web) throws Exception {
        //Set paths to exclude from the Security Filter Chain
        web.ignoring().antMatchers(STATIC_RESOURCES);
    }

    //Filter registered in Security Filter Chain is not bean-defined
    public AbstractPreAuthenticatedProcessingFilter preAuthenticatedProcessingFilter() throws Exception {
        final SampleAuthFilter filter = new SampleAuthFilter();
        filter.setAuthenticationManager(this.authenticationManager());
        return filter;
    }
}

There are many articles and sites of other people around here, so I don't have to bother to write it, but I've been addicted to it for a while, so I'll write it.

Where I was addicted

Even if you set ignore, Filter will be applied to all requests including static resources that do not require authentication. For a few days, I found some free time and searched for "spring security ignoring not work" etc., but I couldn't find a solution due to problems such as how to write the ignore settings.

When I think about it now, the comment here on StackOverflow was exactly the solution, but I didn't realize it.

Cause and solution

The cause is that the Filter class was annotated with @Component. The same goes for adding @Bean to the Configuration class. As a result, it will be registered outside the Security Filter Chain.

The solution is, of course, not to register as a bean.

Some pages have sample code with @Bean, so I thought some people would suffer from the same problem. However, although it is unconfirmed, if you do not use Spring Boot (starter-web?), You may not get into this problem.

I got a hint from the solution to exclude from FilterRegistrationBean on StackOverFlow and managed to solve it, but I can't seem to see it just by tracing from the source of WebSecurityConfigurerAdapter. How Spring Security works in Hello World was very helpful.

If I couldn't solve it in another day, the worst way "adding an if statement on the Filter side" was flickering (laughs).

reference

Spring Security – security none, filters none, access permitAll Spring Security filter chain not ignoring specified path [duplicate] How Spring Security works in Hello World

Recommended Posts

Spring Boot with Spring Security Filter settings and addictive points
Spring Security usage memo: Cooperation with Spring MVC and Boot
HTTPS with Spring Boot and Let's Encrypt
Achieve BASIC authentication with Spring Boot + Spring Security
Hash passwords with Spring Boot + Spring Security (with salt, with stretching)
Try LDAP authentication with Spring Security (Spring Boot) + OpenLDAP
[Introduction to Spring Boot] Authentication function with Spring Security
Create Spring Cloud Config Server with security with Spring Boot 2.0
Download with Spring Boot
Try using DI container with Laravel and Spring Boot
Switch environment with Spring Boot application.properties and @Profile annotation
Implement a simple Rest API with Spring Security with Spring Boot 2.0
Create a simple demo site with Spring Security with Spring Boot 2.1
Attempt to SSR Vue.js with Spring Boot and GraalJS
Connect Spring Boot and Angular type-safely with OpenAPI Generator
Generate barcode with Spring Boot
Hello World with Spring Boot
Get started with Spring boot
Hello World with Spring Boot!
Run LIFF with Spring Boot
SNS login with Spring Boot
Spring Boot Hot Swapping settings
File upload with Spring Boot
Spring Boot starting with copy
Login function with Spring Security
Spring Boot starting with Docker
Hello World with Spring Boot
Set cookies with Spring Boot
Use Spring JDBC with Spring Boot
Add module with Spring Boot
Getting Started with Spring Boot
Spring Boot performance related settings
Try using Spring Boot Security
Create microservices with Spring Boot
Send email with spring boot
Handle Java 8 date and time API with Thymeleaf with Spring Boot
Implement REST API with Spring Boot and JPA (Infrastructure layer)
Until INSERT and SELECT to Postgres with Spring boot and thymeleaf
Connect to database with spring boot + spring jpa and CRUD operation
Spring Boot application that specifies DB connection settings with parameters
Implement REST API with Spring Boot and JPA (domain layer)
Domain Driven Development with Java and Spring Boot ~ Layers and Modules ~
Implement a simple Rest API with Spring Security & JWT with Spring Boot 2.0
With Spring boot, password is hashed and member registration & Spring security is used to implement login function.
Easily develop web applications with STS and Spring Boot. In 10 minutes.
Spring Boot 2.x context path settings
Use Basic Authentication with Spring Boot
Implemented authentication function with Spring Security ②
Spring Boot application code review points
gRPC on Spring Boot with grpc-spring-boot-starter
Hot deploy with Spring Boot development
Spring Boot Tutorial Using Spring Security Authentication
I implemented an OAuth client with Spring Boot / Security (LINE login)
Spring Boot programming with VS Code
Until "Hello World" with Spring Boot
Inquiry application creation with Spring Boot
Part 1: Try using OAuth 2.0 Login supported by Spring Security 5 with Spring Boot
Implemented authentication function with Spring Security ①
Get validation results with Spring Boot
Compare Hello, world! In Spring Boot with Java, Kotlin and Groovy
(Intellij) Hello World with Spring Boot