- Sprint Security - Home
- Spring Security - Introduction
- Spring Security - Architecture
- Spring Security - Project Modules
- Spring Security - Environment Setup
- Spring Security - Form Login
- Spring Security - Custom Form Login
- Spring Security - Logout
- Spring Security - Remember Me
- Spring Security - Redirection
- Spring Security - Taglibs
- Spring Security - XML Configuration
- Spring Security - Authentication Provider
- Spring Security - Basic Authentication
- Spring Security - AuthenticationFailureHandler
- Spring Security - JWT
- Spring Security - Retrieve User Information
- Spring Security - Maven
- Spring Security - Default Password Encoder
- Spring Security – Password Encoding
- Spring Security - Methods Level
- Spring Security - Manual Authentication
- Spring Security - Extra Login Fields
- Spring Security - Prevent Brute Force
- Spring Security - Login Page with React
- Spring Security - Security Filter Chain
- Spring Security - Securing Spring Boot API
- Spring Security - Expressions
- Spring Security - Security none, Filters none, access permitAll
- Spring Security - Control the Session
- Spring Security Useful Resources
- Spring Security - Quick Guide
- Spring Security - Useful Resources
- Spring Security - Discussion
Spring Security - Security none, Filters none, access permitAll
Configuring Spring Security often involves setting filters at multiple layers to restrict or allow access to application resources but for public resources, we may want to bypass this filters or even not apply any filter. Consider the following cases −
Public API documentation like swagger/openapi pages.
Static assets like images, css, js files.
Spring security provides multiple options to give access to public resources as allow all. Security="none", filters="none" and permitAll() are various options to achieve the same but this options are applicable at different layers of security.
Security="none"
This configuration is done in spring security configuration for required path. Modern equivalent configuration is web.ignoring() which means spring security is to ignore the request entirely and no filter is to be applied. Following are features of this configuration.
Spring Security Filter Chain is not applicable for such urls.
SecurityContext object is null. SecurityContextHolder has no user object.
This configuration is fastest in performance as no security chain is invoked.
web.ignoring() is implemented using WebSecurityCustomizer as shown below −
@Configuration
public class SecurityConfiguration {
@Bean
public WebSecurityCustomizer webSecurityCustomizer() {
return (web) -> web.ignoring()
.requestMatchers(new AntPathRequestMatcher("/static/**"),
new AntPathRequestMatcher("/css/**"));
}
}
Filters="none"
Similar to security="none" option, filters="none" is a legacy option although implemented at filters. It instructs FilterChainProxy to skip request for any filter for given request.
In Modern spring security configuration, this option is no more used and is replaced with web.ignoring() as shown above.
As spring security filter chain is bypassed by security="none" and filters="none" options, there is an inherent risk of CSRF, XSS or any header based attacks.
permitAll
This is most preferred way to provide public access to dynamic pages like login page or contact us page. Following are the important points to be considered before exercising this option.
Request goes through complete Spring Security Filter Chain.
SecurityContext object is created. If user is logged in, we can get the user details otherwise user will be treated as anonymous.
This configuration is secured as security headers like HSTS, X-Frame-Options are present and provides support for CSRF protection.
permitAll is implemented using WebSecurityCustomizer as shown below −
@Bean
protected SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
return http
.csrf(AbstractHttpConfigurer::disable)
.authorizeHttpRequests(
request -> request.requestMatchers("/login").permitAll()
.requestMatchers("/**").authenticated()
)
.formLogin(Customizer.withDefaults())
.logout(config -> config
.logoutUrl("/logout")
.logoutSuccessUrl("/login"))
.build();
}