I am new to Spring Boot and Spring Security, and I am building a RESTful API service for allowing the user to sign-up, sign-in, and do other stuff on the application.

I am using JWT for claims verifications and I will be passing the token each time my user uses APIs other than sign-in and sign-up. Therefore I would to allow access to these APIs without passing in the JWT, but for the rest, I want to reject the request outright if the JWT isn't passed.

I have only one controller which is the UserController and it maps to the path /api/user. It would service for the below APIs -

/sign-up. This is a POST method. I want it to allow access to it without requiring JWT to be passed.

/verify/{verificationCode} This is a GET method. I want it to be allowed access to it without requiring JWT to be passed.

/set-password/ This is a POST method, and would return a JWT.

/set-profile. This is a PUT method and will use the JWT.

I tried some examples on configuring the WebSecurity and HttpSecurity by using antMatchers and I also configured a GenericFilterBean.

I don't know the correct approach to and help would be very much appreciated. I am using version 2.1.3.RELEASE of Spring.

2 Answers

0
Ken Chan On

You could configure the security per URL by configuring HttpSecurity :

@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {


    @Override
    protected void configure(HttpSecurity http) throws Exception {

        //Ignore other configuration stuff for simplicity 
        http.authorizeRequests()
                .antMatchers("/sign-up" ,"/verify/**" ).permitAll()
                .anyRequest().authenticated()
    }

}

Then all requests to URL except /sign-up and /verify/** requires authentication (which means JWT in you case).

You can even do the following if you want to further control /sign-up and /verify/** can only be accessed without authentication for the correct HTTP methods only:

http.authorizeRequests()
  .antMatchers(HttpMethod.POST, "/sign-up").permitAll()
  .antMatchers(HttpMethod.GET, "/verify/**").permitAll()
  .anyRequest().authenticated()
0
Patel Romil On

You can achieve your requirements with below configurations. It's a good way to use the URLs which does't require Authentication/Authorization to be placed in WebSecurity using ignoring instead of HttpSecurity as WebScurity will bypass the Spring Security Filter Chain and reduce the execution time

@Override
public void configure(WebSecurity web) throws Exception {
    web
        .ignoring()
        .antMatchers("/sign-up")
        .antMatchers("/verify/**");
}

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
        .authorizeRequests()
        .antMatchers("/set-password/").hasRole("yourROLE")
        .antMatchers("/set-profile").hasRole("yourROLE") 
        .anyRequest().authenticated();
}

When you use HttpSecurity and try to permitAll() requests. Your requests will be allowed to be accessed from the Spring Security Filter Chain. This is costly as there will be requests other requests which would also come into this filter chain which needs to be allowed or disallowed based on Authentication/Authorization

But when you use WebSecurity, any requests to sign-up or verify will completely by pass the Spring Security Filter Chain all together. It is safe because you don't need any Authentication/Authorization to be in place to see an image or read a javascript file.