How to disable Spring Boot Authentication control for a particular Rest Controller

Question

I made a CRUD app using Angular on client side and Spring Boot on the backend. I implemented then authentication with Okta and everything works fine. The problem is that I want to retrieve some data from database for my homepage, and show those info even if no user is authenticated, but I keep receiving a 401 Unauthorized http response.

I read some other question here in stackoverflow and these are all the configuration that I tried in my Spring server:

public class SecurityConfig extends WebSecurityConfigurerAdapter{

1)

@Override
protected void configure(HttpSecurity http) throws Exception {

    http.authorizeRequests().anyRequest().authenticated().and().oauth2Client().and().oauth2Login()
            .and().csrf().ignoringAntMatchers("/stats/**");
    http.cors();
}

2)

@Override
protected void configure(HttpSecurity http) throws Exception {

    http.authorizeRequests().antMatchers("/stats/**").permitAll().anyRequest().authenticated().and().oauth2Client().and().oauth2Login();
    http.cors();
}

They don't work. This is the @RestController that I'm trying to contact for my GET methods:

@RestController
@RequestMapping("/stats")
@CrossOrigin("http://localhost:4200")
public class StatsController {

@Autowired
private CompanyManagerService companyManagerService;
@Autowired
private ReservationService reservationService;
@Autowired
private ReviewService reviewService;
@Autowired
private UserService userService;


@GetMapping("/company")
public ResponseEntity getCompanyCount(){

    return new ResponseEntity(companyManagerService.getCompanyCount(), HttpStatus.OK);
}

@GetMapping("/field")
public ResponseEntity getFieldCount(){

    return new ResponseEntity(companyManagerService.getFieldCount(), HttpStatus.OK);
}

@GetMapping("/reservation")
public ResponseEntity getReservationCount(){

    return new ResponseEntity(reservationService.getCount(), HttpStatus.OK);
}

@GetMapping("/review")
public ResponseEntity getReviewCount(){

    return new ResponseEntity(reviewService.getCount(), HttpStatus.OK);
}

How can I solve this situation?

Answer 1

• Make sure your security configuration class SecurityConfig is annotated with @EnableWebSecurity and @EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
• The security configuration class is in follows the package structure and scanned by Spring. spring-component-scanning
• The application does not have a context path if you are using a context path then you may use **/stats/** or /context-path/stats/**

You may use configure(WebSecurity web) that will bypass the security filter chain and you will be able to access the GET APIs

    @Override
    public void configure(WebSecurity web) throws Exception {
        web
            .ignoring()
            .antMatchers("**/stats/**");
    }

If you are using both configure(WebSecurity web) and configure(HttpSecurity http) methods, make sure you have placed configure(WebSecurity web) above the configure(HttpSecurity http) as described here

@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

     // Other Configurations...

     @Override
     public void configure(WebSecurity web) throws Exception {
         web
            .ignoring()
            .antMatchers("**/stats/**");
     }

    @Override
    public void configure(HttpSecurity http) throws Exception {

        http
            .csrf().disable().cors().disable()
            .authorizeRequests()
            .antMatchers("**/stats/**").permitAll()
            .anyRequest().authenticated()
            .and()
            .oauth2Client()
            .and()
            .oauth2Login();
      }

     // Other Configurations...

}