Spring security does not allow CSS or JS resources to be loaded

M

8

49

The resource is under src/main/resources/static/css or src/main/resources/static/js, I'm using spring boot, and the class of security is:

@Configuration
@EnableWebMvcSecurity
@EnableGlobalAuthentication
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
//      http.authorizeRequests().antMatchers("/", "/index", "/quizStart")
//              .permitAll().anyRequest().authenticated();
//      http.formLogin().loginPage("/login").permitAll().and().logout()
//              .permitAll();
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth)
            throws Exception {
        auth.inMemoryAuthentication().withUser("test").password("test")
                .roles("USER");
    }
}

It works well (resources can be loaded) when I access "/index" from browser, however, if I uncomment the four lines in the class, resources can not be loaded, the four lines means:

    http.authorizeRequests().antMatchers("/", "/index", "/quizStart")
            .permitAll().anyRequest().authenticated();
    http.formLogin().loginPage("/login").permitAll().and().logout()
            .permitAll();

Could anyone help with this ? Thanks in advance.

Makeyevka answered 18/8, 2014 at 17:8 Comment(0)

R

38

You probably want to make sure to have your directory containing those items set as permitAll.

Here's an excerpt from my spring security context file. Under the resources directory, I have js, css, and images folders which are given permissions by this line.

<security:intercept-url pattern="/resources/**" access="permitAll" />

Ramify answered 18/8, 2014 at 17:15 Comment(6)

thanks for your notification, I add line http.authorizeRequests().antMatchers("/css/**", "/js/**", "/images/**").permitAll(); into protected void configure(HttpSecurity http) and then it works, thanks a lot. – Makeyevka 18/8, 2014 at 17:32

No problem. I used a pretty sweet maven archetype I found online to generate this project, and it started out with a working, spring MVC, spring security, JPA, and thymeleaf project. It's got a very good spring java config setup by default, you might want to check it out: github.com/kolorobot/spring-mvc-quickstart-archetype. – Ramify 18/8, 2014 at 17:46

It's really good to me and I have join the watched list, will have a try later, thanks again~ – Makeyevka 18/8, 2014 at 17:53

Where should this file be located? Any examples? – Mariellamarielle 6/2, 2017 at 17:3

Spring Boot will, by default, permit access to /css/**, /js/**, /images/**, and /**/favicon.ico. – Rooseveltroost 4/4, 2017 at 14:59

@Makeyevka Thanks a lot bro! :D – Metacarpal 24/11, 2017 at 12:3

H

18

For some reason, this did not work for me:

http.authorizeRequests().antMatchers("/resources/**").permitAll();

I had to add this:

http.authorizeRequests().antMatchers("/resources/**").permitAll().anyRequest().permitAll();

Also, this line has to be after the code which restrics access.

Hernando answered 14/8, 2016 at 13:21 Comment(2)

In this way you removed all security, the '.anyRequest().permitAll()' will permit all requests, you must find the right path to your resources and use it. If you use spring security, then usually anyRequest() has to be authenticated() – Mandrake 8/2, 2019 at 11:6

you might as well not even do the first antmatcher then lol – Cabbagehead 20/6, 2022 at 17:17

G

13

Add following

@Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring().antMatchers("/resources/**").anyRequest();
    }

Genevagenevan answered 28/6, 2017 at 12:10 Comment(2)

.anyRequest(); will block your site – Drummond 1/12, 2017 at 11:43

@Yogesh : Worked..Kudos, that's exactly the issue which I was having. Thanks again. – Nucleoprotein 2/2, 2018 at 17:8

T

12

you can also use directly like "/*.js" for specific file or "/resources/**" for directory

 http.authorizeRequests()
                .antMatchers("/", "/login", "/logout", "/error").permitAll()
                .antMatchers("/resources/**").permitAll()
                .antMatchers("/*.js").permitAll()
                .antMatchers("/api/**").authenticated()

Tiberius answered 20/3, 2018 at 9:50 Comment(0)

P

10

I had the same problem and the permitAll() solution didn't work for me. I added the following @Overridemethod to my WebSecurityConfigclass.

@Override
public void configure(WebSecurity web) throws Exception {
    web
            .ignoring()
            .antMatchers("/resources/**", "/static/**", "/css/**", "/js/**", "/img/**", "/icon/**");
}

Good Luck!

Purse answered 10/3, 2020 at 19:1 Comment(0)

B

0

I had the same problem and changing access to "permitAll" didn't help. I created a new http pattern where I set security to "none" and then I was able to download the css and js files without authentication.

<http pattern="/resources/**" security="none" />

Boneset answered 1/3, 2016 at 16:21 Comment(0)

M

0

This finally worked for me. The /home (which will bring up the login page) and error messages do not need authentication. All the resources are permitAll, and the /main url is authenticated. Any other url (eg. /users /customers etc..) would need to be added as isAuthenticated()

  <security:intercept-url pattern="/home" access="isAnonymous()"/>
  <security:intercept-url pattern="/error*" access="isAnonymous()"/>      
  <security:intercept-url pattern="/main" access="isAuthenticated()"/>
  <security:intercept-url pattern="/css/**" access="permitAll" />     
  <security:intercept-url pattern="/js/**" access="permitAll" />
  <security:intercept-url pattern="/fonts/**" access="permitAll" />
  <security:intercept-url pattern="/images/**" access="permitAll" />

Recommended topics

Hot tags