In my Spring Boot web application I have configured Spring Security to allow access to static resources like so
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
// all requests must be authenticated
.anyRequest().authenticated()
// allow access to static resources
.antMatchers("/css/**", "/images/**", "/js/**", "/webjars/**").permitAll()
.and()
// login form authentication entry point
.formLogin()
.permitAll()
.loginPage("/login")
.usernameParameter("userId")
.and()
// allow unrestricted access to the logout action
.logout()
.logoutUrl("/logout")
.permitAll();
}
and in my login jsp page I am including jquery like this
<script src="webjars/jquery/3.2.0/jquery.min.js"></script>
I declare the webjar in my pom like this
<dependency>
<groupId>org.webjars</groupId>
<artifactId>jquery</artifactId>
<version>3.2.0</version>
</dependency>
But the resulting GET request for the resource @ http://localhost:8080/webjars/jquery/3.2.0/jquery.min.js returns status code 302 and the script is not loaded. I have tried included a leading forward slash in the request, but it has the same result.
The order of the matchers is important, see the Spring doc on this:
There are multiple children to the http.authorizeRequests() method each matcher is considered in the order they were declared.
So the anyRequest() matcher must come after the antMatchers(). Here is the example from the Spring doc:
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/resources/**", "/signup", "/about").permitAll()
.antMatchers("/admin/**").hasRole("ADMIN")
.antMatchers("/db/**").access("hasRole('ADMIN') and hasRole('DBA')")
.anyRequest().authenticated()
.and()
// ...
.formLogin();
}
I guess what happens is, that you will be redirected to the login page by the security filter, resulting in the 302.