Spring security 401 Unauthorized on unsecured endpoint
Spring Boot was not applying the configuration because couldn't find it. On Application.java config package was not included with @ComponentScan
anotation.
After some researching, here is solution:
@SpringBootApplication(exclude = {SecurityAutoConfiguration.class })@ComponentScan(basePackages = { PackageConstants.PACKAGE_CONTROLLERS_REST, PackageConstants.PACKAGE_SERVICES, PackageConstants.PACKAGE_SERVICES_IMPL, PackageConstants.PACKAGE_MONGO_REPOSITORIES, PackageConstants.PACKAGE_MONGO_REPOSITORIES_IMPL, PackageConstants.PACKAGE_UTILS })public class Application { // Clase principal que se ejecuta en el bootrun public static void main(String[] args) { SpringApplication.run(Application.class, args); }}
Main line is @SpringBootApplication(exclude = {SecurityAutoConfiguration.class })
it tells not use Spring Boot Security AutoConfiguration configuration. It is not full answer, because now you have to tell Spring user your Spring Security configuration class. Also i advice you to create Initializer class with init Root Config Classes, ApplicationConfiguration using and refuse to use SpringBoot applications. Something like this:
ApplicationConfig:
@Configuration@EnableWebMvc@ComponentScan("com.trueport.*")@PropertySource("classpath:app.properties")public class ApplicationConfig extends WebMvcConfigurerAdapter { ....}
ApplicationSecurityConfig:
@Configuration@EnableWebSecurity@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)public class ApplicationSecurityConfig extends WebSecurityConfigurerAdapter { ....}
Initializer:
public class Initializer implements WebApplicationInitializer { private static final String DISPATCHER_SERVLET_NAME = "dispatcher"; @Override public void onStartup(ServletContext servletContext) throws ServletException { AnnotationConfigWebApplicationContext ctx = new AnnotationConfigWebApplicationContext(); .... DispatcherServlet dispatcherServlet = new DispatcherServlet(ctx); dispatcherServlet.setThrowExceptionIfNoHandlerFound(true); ctx.register(ApplicationConfig.class); ServletRegistration.Dynamic servlet = servletContext.addServlet(DISPATCHER_SERVLET_NAME, dispatcherServlet); servlet.addMapping("/"); servlet.setLoadOnStartup(1); servlet.setAsyncSupported(true); }}
You need to add the following to your configure method /error is the default fall back when error occurs to the application due to any exception and it is secured by default.
protected void configure(HttpSecurity httpSecurity) throws Exception {//disable CRSFhttpSecurity //no authentication needed for these context paths .authorizeRequests() .antMatchers("/error").permitAll() .antMatchers("/error/**").permitAll() .antMatchers("/your Urls that dosen't need security/**").permitAll()
Also the below code snippet
@Override public void configure(WebSecurity webSecurity) throws Exception { webSecurity .ignoring() // All of Spring Security will ignore the requests .antMatchers("/error/**") }
Now you will not get 401 and get 500 exception with details when an exception occurred for permitAll Urls