Allow receiving request but not post request (Spring Security)
I am trying to configure Spring Security. I am following the config:
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.antMatchers("/auth**").permitAll()
.and()
.authorizeRequests()
.antMatchers("/**").authenticated()
.anyRequest().permitAll()
.and()
.httpBasic()
.and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.userDetailsService(userDetailsService());
}
I can send a get-request for a link starting with "/ auth", but I cannot send a post request without authentication. If I remove the following code everything is fine:
.authorizeRequests()
.antMatchers("/**").authenticated()
.anyRequest().permitAll()
But I need authentication on any page except "/ auth **"
+3
source to share
1 answer
Very late answer, but like most, I hate coming up with unanswered questions. I think you are asking how to prevent / auth ** authentication.
You must override another config method:
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers(HttpMethod.POST, "/auth/**");
}
This will not authenticate to that url. In other words, it is a public URL where people can submit a reminder password request, for example.
0
source to share