Spring security allow static resources without authentication

Details
Written by  
Last Updated on 30 January 2024   |   Print  Email


By default, Spring Security secures access to all resources under the context path of a web application, including static resources such as images, Javascript files, CSS files… However, those static resources should be publicly accessible without authentication, for specific needs and also improved performance. For example, a login page may require some Javascript, CSS and images to function properly - provided that login page is the only one accessible resource whereas others are protected (authentication required).

If you have this statement in the security configuration class:

http.authorizeHttpRequests(auth -> auth.anyRequest().authenticated())
This will print the following logging message in the console:

o.s.s.web.DefaultSecurityFilterChain : Will secure any request with [org.springframework.security...]
And you use a custom login page that uses some images, JS and CSS - then you must configure Spring Security to allow access to static resources.

So how to configure Spring Security to allow static resources to be available to clients upon request without authentication?

Suppose that your project stores static resources in the following directories:

  • src/main/resources/static/images: contains images
  • src/main/resources/static/js: contains Javascript files
  • src/main/resources/static/css: contains CSS files
Additionally, if you use jQuery and Bootstrap with WebJars, you also need to allow access to /webjars directory.

All files in those directories should not require authentication. In other words, we need to configure Spring Security to ignore those resources. With Spring Boot 2.x and Spring Security 5.x, you need to override the configure(WebSecurity) method defined by the WebSecurityConfigurerAdapter class in the security configuration class as follows:

@Override
public void configure(WebSecurity web) throws Exception {
	web.ignoring().antMatchers("/images/**", "/js/**", "/css/**", "/webjars/**");
}
This code is put in the whole security configuration class as shown below:

package net.codejava;

import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {


	@Override
	public void configure(WebSecurity web) throws Exception {
		web.ignoring().antMatchers("/images/**", "/js/**", "/css/**", "/webjars/**");
	}

	@Override
	protected void configure(HttpSecurity http) throws Exception {
		// configure HTTP security
                http.authorizeRequests().anyRequest().permitAll();		
                …
	}

	// other configurations...	
}


With Spring Boot 3.x and Spring Security 6.x, you need to declare the following bean:

@Bean
WebSecurityCustomizer configureWebSecurity() {
	return (web) -> web.ignoring().requestMatchers("/images/**", "/js/**", "/css/**", "/webjars/**");
}
In the context of the security configuration class as follows:

package net.codejava;

import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer;
import org.springframework.security.web.SecurityFilterChain;

@Configuration
public class WebSecurityConfig   {

	@Bean
	SecurityFilterChain configure(HttpSecurity http) throws Exception {
		
		http.authenticationProvider(authenticationProvider());
		
		http.authorizeHttpRequests(auth -> auth.anyRequest().authenticated())
		...		
		
		return http.build();
	}
	

	@Bean
	WebSecurityCustomizer configureWebSecurity() {
		return (web) -> web.ignoring().requestMatchers("/images/**", "/js/**", "/css/**", "/webjars/**");
	}
}
This kind of configuration allows static resources to be served without authentication. You will see the following logs in the console that indicates such configuration is applied:

You are asking Spring Security to ignore Mvc [pattern='/images/**']. This is not recommended -- please use permitAll via HttpSecurity#authorizeHttpRequests instead.
Will not secure Mvc [pattern='/images/**']
…
This message means that we should configure Spring Security to allow static resources via the configuration of HttpSecurity object like below:

@Configuration
public class WebSecurityConfig   {
	

	@Bean
	SecurityFilterChain configure(HttpSecurity http) throws Exception {
		
		http.authenticationProvider(authenticationProvider());
		
		http.authorizeHttpRequests(auth -> 
			auth.requestMatchers("/images/**", "/js/**", "/css/**", "/webjars/**").permitAll()
  			    .anyRequest().authenticated()
			)
			
			// other configs...
		);
		
		return http.build();
	}
	

}
That’s some code examples which you can refer to allow static resources passed through Spring Security filter without authentication/authorization. I hope you found this post helpful. To learn more, check out my Spring Security tutorials below.

To see the coding in action, watch the following video:

 

Learn more about Spring Security:


About the Author:

is certified Java programmer (SCJP and SCWCD). He started programming with Java in the time of Java 1.4 and has been falling in love with Java since then. Make friend with him on Facebook and watch his Java videos you YouTube.



Add comment