Spring Security Configuration – HttpSecurity vs WebSecurity

by

General use of WebSecurity ignoring() method omits Spring Security and none of Spring Security’s features will be available.
WebSecurity is based above HttpSecurity.

@Override
public void configure(WebSecurity web) throws Exception {
    web
        .ignoring()
        .antMatchers("/resources/**")
        .antMatchers("/publics/**");
}

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
        .authorizeRequests()
        .antMatchers("/admin/**").hasRole("ADMIN")
        .antMatchers("/publics/**").hasRole("USER") // no effect
        .anyRequest().authenticated();
}

WebSecurity in the above example lets Spring ignore /resources/** and /publics/**. Therefore the .antMatchers("/publics/**").hasRole("USER") in HttpSecurity is unconsidered.

This will omit the request pattern from the security filter chain entirely.
Note that anything matching this path will then have no authentication or authorization services applied and will be freely accessible.

configure(HttpSecurity) allows configuration of web-based security at a resource level, based on a selection match – e.g. The example below restricts the URLs that start with /admin/ to users that have ADMIN role, and declares that any other URLs need to be successfully authenticated.

configure(WebSecurity) is used for configuration settings that impact global security (ignore resources, set debug mode, reject requests by implementing a custom firewall definition). For example, the following method would cause any request that starts with /resources/ to be ignored for authentication purposes.

Let’s consider the below code, we can ignore the authentication for the endpoint provided within antMatchers using both the methods.

@Override
public void configure(WebSecurity web) throws Exception {
    web
        .ignoring()
        .antMatchers("/login", "/register", "/api/public/**");
}

@Override
public void configure(HttpSecurity http) throws Exception {

    http
        .csrf().disable()
        .authorizeRequests()
        .antMatchers("/login", "/register", "/api/public/**").permitAll()
        .anyRequest().authenticated();
}

  • configure(WebSecurity web)
    Endpoint used in this method ignores the spring security filters, security features (secure headers, csrf protection etc) are also ignored and no security context will be set and can not protect endpoints for Cross-Site Scripting, XSS attacks, content-sniffing.

  • configure(HttpSecurity http)
    Endpoint used in this method ignores the authentication for endpoints used in antMatchers and other security features will be in effect such as secure headers, CSRF protection, etc.

More Related Contents:

  1. Filter invoke twice when register as Spring bean
  2. Spring security CORS Filter
  3. Spring Boot 2.0.x disable security for certain profile
  4. How to disable ‘X-Frame-Options’ response header in Spring Security?
  5. How to enable HTTP response caching in Spring Boot
  6. 401 instead of 403 with Spring Boot 2
  7. HttpSecurity, WebSecurity and AuthenticationManagerBuilder
  8. Multiple WebSecurityConfigurerAdapter in spring boot for multiple patterns
  9. Spring Security 5 : There is no PasswordEncoder mapped for the id “null”
  10. Securing Spring Boot API with API key and secret
  11. Spring Security HTTP Basic for RESTFul and FormLogin (Cookies) for web – Annotations
  12. How do I disable resolving login parameters passed as url parameters / from the url
  13. How do I add method based security to a Spring Boot project?
  14. What does Cookie CsrfTokenRepository.withHttpOnlyFalse () do and when to use it?
  15. Disable HTTP OPTIONS method in spring boot application
  16. Single role multiple IP addresses in Spring Security configuration
  17. disabling spring security in spring boot app [duplicate]
  18. Disabling a filter for only a few paths
  19. Spring Boot Microservices – Spring Security – ServiceTest and ControllerTest for JUnit throwing java.lang.StackOverflowError
  20. Spring Boot REST service exception handling
  21. How to hot-reload properties in Java EE and Spring Boot?
  22. exclude @Component from @ComponentScan
  23. Programmatically shut down Spring Boot application
  24. What is the difference between putting a property on application.yml or bootstrap.yml in spring boot?
  25. Speed up Spring Boot startup time
  26. package org.springframework.boot does not exist
  27. Spring Boot shutdown hook
  28. Spring security added prefix “ROLE_” to all roles name?
  29. Why this Spring application with java-based configuration don’t work properly
  30. Cross-Origin Resource Sharing with Spring Security

Leave a Comment