Java – Spring Boot Security – Anonymous User access on default mapping /

javaspring-bootspring-security

We have Spring boot based Application and We wanted to give the default / mapping access to Anonymous user.
we have added the default index.html (basic page).

In Controller

@RequestMapping("/")
public ModelAndView defaultViewManager(HttpServletRequest request) {
    logger.info("Default mapping.");
    ModelAndView modelAndView = new ModelAndView("index");
    return modelAndView;
} 

SecurityConfig

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

private static final String SSO_HEADER = "AUTH_USER";

public static final String ADMIN = "ROLE_ADMIN";
public static final String USER = "ROLE_USER";
public static final String ANONYMOUS = "ROLE_ANONYMOUS";

@Autowired
private PreAuthUserDetailsService userDetailsService;

@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
    auth.authenticationProvider(preAuthenticatedAuthProvider());
}

@Bean
public PreAuthenticatedAuthenticationProvider preAuthenticatedAuthProvider() {
    UserDetailsByNameServiceWrapper<PreAuthenticatedAuthenticationToken> wrapper =
            new UserDetailsByNameServiceWrapper<PreAuthenticatedAuthenticationToken>    (userDetailsService);

    PreAuthenticatedAuthenticationProvider authProvider = new PreAuthenticatedAuthenticationProvider();
    authProvider.setPreAuthenticatedUserDetailsService(wrapper);
    return authProvider;
}

@Bean
public RequestHeaderAuthenticationFilter headerAuthFilter() throws Exception {
    RequestHeaderAuthenticationFilter filter = new RequestHeaderAuthenticationFilter();
    filter.setPrincipalRequestHeader(SSO_HEADER);
    filter.setAuthenticationManager(authenticationManagerBean());
    return filter;
}

The above mentioned code probably not necessary, but for background, we are using a PreAuthenticatedAuthentication Provider

@Override
protected void configure(HttpSecurity http) throws Exception {

    // @formatter:off
    http.addFilter(headerAuthFilter())
        .authorizeRequests()
            .antMatchers("/").permitAll()
            .antMatchers("/admin/**").hasAuthority(ADMIN)
            .antMatchers("/**").hasAuthority(USER)

        .and()
            .logout()
                .deleteCookies("remove")
                .invalidateHttpSession(true)
                .logoutUrl("/logout")
                .logoutSuccessUrl("/login?logout")
        .and()
            .csrf().disable()
            .headers().frameOptions().disable();
    // @formatter:on
}
}

FYI, I have added the Interceptor too. The Interceptor appears to be triggered, even with the exclude pattern

public void addInterceptors(InterceptorRegistry registry) {     
         registry.addInterceptor(wikiRequestHandlerInterceptor()).
excludePathPatterns("/").addPathPatterns("/**");   

}

In the above SecurityConfig code. I tried to permit using .antMatchers("/").permitAll() and added Authority for rest means all /** and /admin/**. But this is not working. please help to mention correct antMatchers to provide the anonymous access to default /mapping only.

Thanks in Advance.

Best Solution

Looks like the antMatchers would need to be re-arranged to fix the precedence. To permit "all requests" at "/" first add anyRequest().permitAll(), then add the restricted directories, and finally the catch-all /** like so:

http.addFilter(headerAuthFilter())
    .authorizeRequests()
    .anyRequest().permitAll()
    .antMatchers("/admin/**").hasAuthority(ADMIN)
    .antMatchers("/**").hasAuthority(USER)

A view controller can be setup to map directly to the indexroot.html in the template directory (assuming ThymeLeaf):

public void addViewControllers(ViewControllerRegistry registry) {
    registry.addViewController("/").setViewName("indexroot");
}

I believe the interceptor can still be excluded with simply "/", in any order:

public void addInterceptors(InterceptorRegistry registry) {
    registry.addInterceptor(wikiRequestHandlerInterceptor())
            .addPathPatterns("/admin/**")
            .excludePathPatterns("/");
}
Related Question