I am new to Spring Boot and Spring Security, and I am building a RESTful API service for allowing the user to sign-up, sign-in, and do other stuff on the application.
I am using JWT for claims verifications and I will be passing the token each time my user uses APIs other than sign-in and sign-up. Therefore I would to allow access to these APIs without passing in the JWT, but for the rest, I want to reject the request outright if the JWT isn't passed.
I have only one controller which is the UserController and it maps to the path /api/user
. It would service for the below APIs -
/sign-up
. This is a POST method. I want it to allow access to it without requiring JWT to be passed.
/verify/{verificationCode}
This is a GET method. I want it to be allowed access to it without requiring JWT to be passed.
/set-password/
This is a POST method, and would return a JWT.
/set-profile
. This is a PUT method and will use the JWT.
I tried some examples on configuring the WebSecurity and HttpSecurity by using antMatchers and I also configured a GenericFilterBean.
I don't know the correct approach to and help would be very much appreciated. I am using version 2.1.3.RELEASE of Spring.
You could configure the security per URL by configuring
HttpSecurity
:Then all requests to URL except
/sign-up
and/verify/**
requires authentication (which means JWT in you case).You can even do the following if you want to further control
/sign-up
and/verify/**
can only be accessed without authentication for the correct HTTP methods only: