Allow receiving request but not post request (Spring Security)

Question

Allow receiving request but not post request (Spring Security)

I am trying to configure Spring Security. I am following the config:

@Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .csrf().disable()
                .authorizeRequests()
                    .antMatchers("/auth**").permitAll()
                .and()
                .authorizeRequests()
                    .antMatchers("/**").authenticated()
                    .anyRequest().permitAll()
                .and()
                    .httpBasic()
                .and()
                    .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and()
                    .userDetailsService(userDetailsService());
    }

I can send a get-request for a link starting with "/ auth", but I cannot send a post request without authentication. If I remove the following code everything is fine:

.authorizeRequests()
.antMatchers("/**").authenticated()
.anyRequest().permitAll()

But I need authentication on any page except "/ auth **"

+3

spring-security

annoirq 05 Aug 15 at 12:10

source to share

1 answer

PeterS · Answer 1 · 2017-04-11T16:34:22+0000

Very late answer, but like most, I hate coming up with unanswered questions. I think you are asking how to prevent / auth ** authentication.

You must override another config method:

@Override
public void configure(WebSecurity web) throws Exception {
    web.ignoring().antMatchers(HttpMethod.POST, "/auth/**");
}

This will not authenticate to that url. In other words, it is a public URL where people can submit a reminder password request, for example.

Allow receiving request but not post request (Spring Security)

More articles: