Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Spring Security: ignoring resources different behavior with and without actuator

See original GitHub issue

Here is a simple project that demonstrates the problem: https://github.com/ralscha/ignoring

Spring Boot adds by default ignore rules for /css/, /js/ and /images/**.

Creating filter chain: Ant [pattern='/css/**'], []
Creating filter chain: Ant [pattern='/js/**'], []
Creating filter chain: Ant [pattern='/images/**'], []

When there is a custom WebSecurityConfigurerAdapter in the application these rules will not be applied which is what I want.

@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
@EnableWebSecurity
class SecurityConfig extends WebSecurityConfigurerAdapter {
   .....
   @Override
   public void configure(WebSecurity web) throws Exception {
      web.ignoring().antMatchers("/img2.png");
   }
   .....
}

Creating filter chain: Ant [pattern='/img2.png'], []
Creating filter chain: Ant [pattern='/**'], .......

But as soon as you add the actuator as a dependency this behavior changes

<dependency>
  <groupId>org.springframework.boot</groupId>
  <artifactId>spring-boot-starter-actuator</artifactId>
</dependency>

The presence of a custom WebSecurityConfigurerAdapter no longer overwrites the default ignore rules and the code in the configure method will be ignored.

Creating filter chain: OrRequestMatcher [requestMatchers=[Ant [pattern='/css/**'], Ant [pattern='/js/**'], Ant [pattern='/images/**'], Ant [pattern='/**/favicon.ico'], Ant [pattern='/error']]], []
Creating filter chain: OrRequestMatcher [requestMatchers=[Ant [pattern='/**']]],......

To override the default rules you need to add a security.ignored property in the applicaiton.properties or application.yml file

security:
  ignored:
    - /img2.png

Creating filter chain: OrRequestMatcher [requestMatchers=[Ant [pattern='/img2.png'], Ant [pattern='/error']]], []
Creating filter chain: OrRequestMatcher [requestMatchers=[Ant [pattern='/**']]], .....

Issue Analytics

  • State:closed
  • Created 7 years ago
  • Comments:5 (5 by maintainers)

github_iconTop GitHub Comments

5reactions
ralschacommented, Dec 7, 2016

Looks good now. I tested it with the 1.5.0 snapshot and it does no longer make a difference if the actuator is on the classpath or not. Thanks for the change.

Defaults. Without actuator on the classpath 1.4.2.RELEASE

Creating filter chain: Ant [pattern='/css/**'], []
Creating filter chain: Ant [pattern='/js/**'], []
Creating filter chain: Ant [pattern='/images/**'], []
Creating filter chain: Ant [pattern='/webjars/**'], []
Creating filter chain: Ant [pattern='/**/favicon.ico'], []
Creating filter chain: Ant [pattern='/error'], []

1.5.0.BUILD-SNAPSHOT

Creating filter chain: OrRequestMatcher [requestMatchers=[Ant [pattern='/css/**'], Ant [pattern='/js/**'], Ant [pattern='/images/**'], Ant [pattern='/webjars/**'], Ant [pattern='/**/favicon.ico'], Ant [pattern='/error']]], []

Defaults. With actuator on the classpath 1.4.2.RELEASE

Creating filter chain: OrRequestMatcher [requestMatchers=[Ant [pattern='/css/**'], Ant [pattern='/js/**'], Ant [pattern='/images/**'], Ant [pattern='/webjars/**'], Ant [pattern='/**/favicon.ico'], Ant [pattern='/error']]], []

1.5.0.BUILD-SNAPSHOT

Creating filter chain: OrRequestMatcher [requestMatchers=[Ant [pattern='/css/**'], Ant [pattern='/js/**'], Ant [pattern='/images/**'], Ant [pattern='/webjars/**'], Ant [pattern='/**/favicon.ico'], Ant [pattern='/error']]], []

With security.ignored=none. Without actuator on the classpath 1.4.2.RELEASE

Creating filter chain: Ant [pattern='/error'], []

1.5.0.BUILD-SNAPSHOT

Creating filter chain: OrRequestMatcher [requestMatchers=[Ant [pattern='/error']]], []

With security.ignored=none. With actuator on the classpath 1.4.2.RELEASE

Creating filter chain: OrRequestMatcher [requestMatchers=[Ant [pattern='/error']]], []

1.5.0.BUILD-SNAPSHOT

Creating filter chain: OrRequestMatcher [requestMatchers=[Ant [pattern='/error']]], []

With custom WebSecurityConfigurerAdapter. Without actuator on the classpath 1.4.2.RELEASE

Creating filter chain: Ant [pattern='/img2.png'], []

1.5.0.BUILD-SNAPSHOT

Creating filter chain: Ant [pattern='/img2.png'], []

With custom WebSecurityConfigurerAdapter. With actuator on the classpath 1.4.2.RELEASE

Creating filter chain: OrRequestMatcher [requestMatchers=[Ant [pattern='/css/**'], Ant [pattern='/js/**'], Ant [pattern='/images/**'], Ant [pattern='/webjars/**'], Ant [pattern='/**/favicon.ico'], Ant [pattern='/error']]], []
Creating filter chain: Ant [pattern='/img2.png'], []

1.5.0.BUILD-SNAPSHOT

Creating filter chain: Ant [pattern='/img2.png'], []

With security.ignored=none and custom WebSecurityConfigurerAdapter. Without actuator on the classpath 1.4.2.RELEASE

Creating filter chain: Ant [pattern='/img2.png'], []

1.5.0.BUILD-SNAPSHOT

Creating filter chain: Ant [pattern='/img2.png'], []

With security.ignored=none and custom WebSecurityConfigurerAdapter. With actuator on the classpath 1.4.2.RELEASE

Creating filter chain: OrRequestMatcher [requestMatchers=[Ant [pattern='/error']]], []
Creating filter chain: Ant [pattern='/img2.png'], []

1.5.0.BUILD-SNAPSHOT

Creating filter chain: Ant [pattern='/img2.png'], []

Custom WebSecurityConfigurerAdapter used in this example

	@Override
	public void configure(WebSecurity web) throws Exception {
		web.ignoring().antMatchers("/img2.png");
	}
3reactions
ralschacommented, Jul 4, 2016

After further investigating this issue I figured out that my statement about ignoring the rule from the configure method is wrong. The framework always adds the ignore rule from the public void configure(WebSecurity web) method

But there is a difference when the actuator is on the classpath or not.

Default. Without actuator on the classpath and without a custom WebSecurityConfigurerAdapter

Creating filter chain: Ant [pattern='/css/**'], []
Creating filter chain: Ant [pattern='/js/**'], []
Creating filter chain: Ant [pattern='/images/**'], []
Creating filter chain: Ant [pattern='/webjars/**'], []
Creating filter chain: Ant [pattern='/**/favicon.ico'], []
Creating filter chain: Ant [pattern='/error'], []

With a custom WebSecurityConfigurerAdapter and without actuator on the classpath Creating filter chain: Ant [pattern='/img2.png'], []

With a custom WebSecurityConfigurerAdapter and with the actuator on the classpath

Creating filter chain: OrRequestMatcher [requestMatchers=[Ant [pattern='/css/**'], Ant [pattern='/js/**'], Ant [pattern='/images/**'], Ant [pattern='/webjars/**'], Ant [pattern='/**/favicon.ico'], Ant [pattern='/error']]], []
Creating filter chain: Ant [pattern='/img2.png'], []

The problem is that the org.springframework.boot.actuate.autoconfigure.ManagementWebSecurityAutoConfiguration re-adds the default ignore rules.

A solution is to set security.ignored to none.

security:
  ignored:
    - none

Creating filter chain: OrRequestMatcher [requestMatchers=[Ant [pattern='/error']]], []
Creating filter chain: Ant [pattern='/img2.png'], []

Not exactly the same as without the actuator because it still adds the ignore rule for /error

Read more comments on GitHub >

github_iconTop Results From Across the Web

Spring Security without the WebSecurityConfigurerAdapter
The warning is about calling the ignoring method, whether it is from the WebSecurityCustomizer or WebSecurityConfigurerAdapter . When an ...
Read more >
Spring Websecurity throwing 401 on 'ignored' resource when ...
A deep dive intro DEBUG logs further and I have found the issue. When throwing an exception with a HTTP_STATUS code, Spring actually ......
Read more >
Spring Boot Security Auto-Configuration - Baeldung
For example, almost each Spring Boot application is started with Actuator in the classpath. This causes problems because another auto-configuration class ...
Read more >
Conditionally Disabling or Overriding Spring Boot Security ...
In this article, we'll have a look at how to disable Security in Spring Boot application and how to customize Security Configuration.
Read more >
Spring Boot Admin Reference Guide - GitHub Pages
The following steps uses Eureka, but other Spring Cloud Discovery ... By default the logfile is not accessible via actuator endpoints and ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

spring-boot-maven-plugin does not act transitively when excluding dependency

Next page

OracleDataSource created by DataSourceBuilder