java - Spring Security multiple url ruleset not working together -


i have http spring security configuration appears work when comment out each individual aspect doesn't work when combine spring security rules together, know problem not regexmatcher or antmatcher rules applied in combination.

here spring security class:

package com.driver.website.config;  import org.springframework.beans.factory.annotation.autowired; import org.springframework.beans.factory.annotation.value; import org.springframework.context.annotation.bean; import org.springframework.context.annotation.configuration; import org.springframework.security.config.annotation.authentication.builders.authenticationmanagerbuilder; import org.springframework.security.config.annotation.method.configuration.enableglobalmethodsecurity; import org.springframework.security.config.annotation.web.builders.httpsecurity; import org.springframework.security.config.annotation.web.builders.websecurity; import org.springframework.security.config.annotation.web.configuration.enablewebsecurity; import org.springframework.security.config.annotation.web.configuration.websecurityconfigureradapter; import org.springframework.security.web.csrf.csrftokenrepository; import org.springframework.security.web.csrf.httpsessioncsrftokenrepository; import org.springframework.security.web.header.writers.staticheaderswriter; import org.springframework.security.web.header.writers.frameoptions.xframeoptionsheaderwriter; import org.springframework.security.web.util.matcher.requestmatcher;  import javax.servlet.http.httpservletrequest; import java.security.accesscontrolcontext;  @configuration @enablewebsecurity @enableglobalmethodsecurity(prepostenabled = true) public class securityconfig extends websecurityconfigureradapter {      @value("${widget.headers.xframeoptions.domains.allowed}")     private string allowedxframeoptions;      @value("${widget.headers.origins.allowed}")     private string allowedorigins;      @override     public void configure(httpsecurity http) throws exception {         // @formatter:off          http.exceptionhandling().accessdeniedpage("/login")                 .and()                 .formlogin().loginpage("/login").defaultsuccessurl("/myaccount", true).permitall()                 .and()                 .authorizerequests()                 .antmatchers("/**").permitall();          http.regexmatcher("^((?!(/widget|/assistedsearch)).)*$")                 .headers().frameoptions().disable()                 .regexmatcher("^((?!(/widget|/assistedsearch)).)*$")                 .headers()                 .xssprotection()                 .contenttypeoptions()                 .addheaderwriter(new staticheaderswriter("x-frame-options", "sameorigin"));          http.antmatcher("/widget")             .headers()             .frameoptions()             .disable()             .antmatcher("/widget")             .headers()             .addheaderwriter(new staticheaderswriter("x-frame-options", "allow-from " + allowedxframeoptions));          http.requestmatchers().antmatchers("/assistedsearch", "/widget")             .and()             .headers()             .addheaderwriter(new staticheaderswriter("access-control-allow-origin", allowedorigins))             .addheaderwriter(new staticheaderswriter("access-control-allow-methods", "get, post"))             .addheaderwriter(new staticheaderswriter("access-control-allow-headers", "content-type"));          // @formatter:on     } }

the rules should be...

  • for urls not /widget , /assistedsearch should add sameorigin x-frame-options header
  • for /widget endpoint should add x-frame-options: allow-from header
  • for /widget , /assistedsearch endpoints should add access-control-allow-origin, access-control-allow-methods , access-control-allow-headers headers

as mentioned above if comment out for urls ruleset other 2 work in unison, for urls rule uncommented none of headers appear.

does have ideas why might be? how add multiple rulesets in spring security , override existing rulesets new ones?

i tried 

http.antmatcher("/widget")     .headers()     .frameoptions()     .disable()

which again appears work on it's own not in combination.

thanks in advance!

you override previous matchers, see httpsecurity.html#antmatcher:

invoking antmatcher(string) override previous invocations of mvcmatcher(string)}, requestmatchers(), antmatcher(string), regexmatcher(string), , requestmatcher(requestmatcher).

and httpsecurity.html#regexmatcher:

invoking regexmatcher(string) override previous invocations of mvcmatcher(string)}, requestmatchers(), antmatcher(string), regexmatcher(string), , requestmatcher(requestmatcher).

if want more 1 configuration of httpsecurity, see spring security reference:

we can configure multiple httpsecurity instances can have multiple <http> blocks. key extend websecurityconfigurationadapter multiple times. example, following example of having different configuration url’s start /api/.

@enablewebsecurity public class multihttpsecurityconfig {   @autowired   public void configureglobal(authenticationmanagerbuilder auth) { 1       auth           .inmemoryauthentication()               .withuser("user").password("password").roles("user").and()               .withuser("admin").password("password").roles("user", "admin");   }    @configuration   @order(1)                                                        2   public static class apiwebsecurityconfigurationadapter extends websecurityconfigureradapter {       protected void configure(httpsecurity http) throws exception {           http               .antmatcher("/api/**")                               3               .authorizerequests()                   .anyrequest().hasrole("admin")                   .and()               .httpbasic();       }   }    @configuration                                                   4   public static class formloginwebsecurityconfigureradapter extends websecurityconfigureradapter {        @override       protected void configure(httpsecurity http) throws exception {           http               .authorizerequests()                   .anyrequest().authenticated()                   .and()               .formlogin();       }   } }

-

Comments

Post a Comment

Popular posts from this blog

javascript - Thinglink image not visible until browser resize -

Image
i trying repurpose pre-existing theme, includes drop down menu displays image. trying embed thinglink drop down menu's content section, not visible until resize browser window. here menu looks like: then when clicked, can see empty space image should show: then when browser resized, image appears: this code content of menu: <div class="ajax_accordion_content" style="display: none;"> <div class="report-detail"> <table border="0" cellpadding="0" cellspacing="0" width="100%" class="table_basic"> <tbody> <!-- thinglink image embedded --> <img style="max-width: 100%;" src="http://cdn.thinglink.me/api/image/832705713204625409/1024/10/scaletowidth#tl-832705713204625409;1043138249'" class="alwaysthinglink"/> <script async charset="utf-8" src="http://cdn.thinglink.me/jse/embed.j...
Read more

firebird - Error "invalid transaction handle (expecting explicit transaction start)" executing script from Delphi -

i'm developing update app delphi 10. i'm running windows 7 64x, firebird 2.5.1.26351 32x. execution order: checks current version(select statement firebird database) downloads update(via ftp) apply it(.exe files, , execute .sql) error code -901 pops out when try execute .sql files. know there incompatibility issue w7 64x , fdb 32x, but, can everything: backup , restore(gbak), db commands(all). tried fdb 64x instead, , not working. code: //components fdwaitcursor: tfdguixwaitcursor; fddriverlink: tfdphysfbdriverlink; fdconnection:tfdconnection; fdscript: tfdscript; function tthr_script.createcomponents:boolean; begin try fddriverlink := tfdphysfbdriverlink.create(fddriverlink); fdwaitcursor := tfdguixwaitcursor.create(fdwaitcursor); fdconnection := tfdconnection.create(fdconnection); fdconnection begin drivername := 'fb'; params.username := thrbanco.bduser; params.password := thrbanco.bdpass; params.database := ...
Read more

Sound is not coming out while implementing Text-to-speech in Android activity -

i using texttospeak in 1 of app. while adding speech string texttospeech object instance, doesn't produce sound. though not getting error in log still sound not coming out. want device speak value of textview gets set resultmsg.settext() method. public class resultactivity extends activity { @override protected void oncreate(bundle savedinstancestate){ ............ resultmsg.settext(resultmsg_str); texttospeech = new texttospeech(getapplicationcontext(),newtexttospeech.oninitlistener(){ @override public void oninit(int status) { system.out.println("txt speech status = "+status); system.out.println("txt speech error status = "+texttospeech.error); system.out.println("txt speech success status = "+texttospeech.success); if(status == texttospeech.success){ texttospeech.setlanguage(locale.english); ...
Read more