1

Hi i have created a sample spring mvc security application.I'm following java code based configuration rather than xml configuration.The application working fine. But , a user can access each and every url without login the application. How can i resolve this problems??

i want , users must not be access url without login process.

@EnableWebSecurity
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private CustomUserDetailsService customUserDetailsService;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable()
                .headers()
                .addHeaderWriter(new XFrameOptionsHeaderWriter(XFrameOptionsHeaderWriter.XFrameOptionsMode.SAMEORIGIN)).and()
                .formLogin().defaultSuccessUrl("/admin/home")
                .loginPage("/login").failureUrl("/login?error")
                .permitAll().and().logout()
                .logoutSuccessUrl("/login?logout").logoutUrl("/logout")
                .permitAll().and().authorizeRequests().antMatchers("/**")
                .permitAll().anyRequest().authenticated().and();
    }

    /*
     * @Override protected void configure(AuthenticationManagerBuilder auth)
     * throws Exception
     */
    @Override
    protected void configure(AuthenticationManagerBuilder auth)
            throws Exception {
        auth.userDetailsService(customUserDetailsService);
    }

}
jijesh
  • 35
  • 2
  • 6
  • you can use `Spring` `Filter`: http://stackoverflow.com/questions/11928637/how-to-write-a-custom-filter-in-spring-security – chengpohi Mar 21 '15 at 10:25
  • thnx for the support.but my project based on spring boot,which means no web.xml file present. – jijesh Mar 21 '15 at 10:29

2 Answers2

2

I think this is the problem:

.authorizeRequests()
    .antMatchers("/**").permitAll()
    .anyRequest().authenticated()

The order of the rules matters (it should be most specific first, least specific last), so the /** pattern will match everything and the anyRequest().authenticated() will never take effect (and therefore access to all URLs will be permitted for all). So the solution is to remove the /** rule or to make it less general, depending on what you want it to do.

Btw, you should really follow the recommended conventions for indenting Spring Security Java configuration, it would make your configuration much more easier to read.

Bohuslav Burghardt
  • 33,626
  • 7
  • 114
  • 109
0

Firstly include 

@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
    auth
        .inMemoryAuthentication()
            .withUser("admin").password("password").roles("ADMIN"); // admin in your case
}

and as @Bohuslav Burghardt suggested use 

 http
     .authorizeRequests()                                                                
     .antMatchers("/resources/**", "/login").permitAll()   
     .antMatchers("/admin/**").hasRole("ADMIN")
     .and()

     .formLogin()
        .loginPage("/login")
        .defaultSuccessUrl("/admin/home")
        .failureUrl("/loginfailed")             
        .permitAll()
        .and()

    .logout()
        .logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
        .deleteCookies("JSESSIONID")
        .invalidateHttpSession( true )
        .and();
Kharoud
  • 307
  • 1
  • 7
  • 20
  • I did some custom changes for you check.. If still not works, then there is some other problem. – Kharoud Mar 21 '15 at 10:53
  • it's worked..thnx. also i want to handle logout problem. le:- after logout i can go back to homepage. and also same in home page i can goto login page when back button is clicked. – jijesh Mar 21 '15 at 11:06