I'm using SpringMVC 4.3.13 and Spring Security 4.2.4.
In the last days I add to my webapp the webjars dependency and all works fine if I already made login into the application.
The only problem that I have is in the login page where I can't use webjars because Spring Security cannot permit me to download the resources.
Here how I load the resources in the login page
<script src="/webjars/jquery/jquery.min.js"></script>
Here the resources configuration in MVCConfiguration
@Override
public void addResourceHandlers(final ResourceHandlerRegistry registry) {
registry.addResourceHandler("/webjars/**").addResourceLocations(/webjars/")
.resourceChain(false)
.addResolver(new WebJarsResourceResolver())
.addResolver(new PathResourceResolver());
registry.addResourceHandler("/css/**").addResourceLocations("/css/");
registry.addResourceHandler("/js/**").addResourceLocations("/js/");
registry.addResourceHandler("/plugins/**").addResourceLocations(/plugins/");
registry.addResourceHandler("/img/**").addResourceLocations("/img/");
registry.addResourceHandler("/images/**").addResourceLocations(/images/");
registry.addResourceHandler("/font/**").addResourceLocations("/font/");
registry.addResourceHandler("/fonts/**").addResourceLocations("/fonts/");
registry.addResourceHandler("/servlet/**").addResourceLocations("/servlet/");
registry.addResourceHandler("/user/**").addResourceLocations("/user/");
registry.addResourceHandler("/asset/**").addResourceLocations("/asset/");
registry.addResourceHandler("/xslt/**").addResourceLocations("/xslt/");
registry.addResourceHandler("/jsp/**").addResourceLocations("/jsp/");
registry.addResourceHandler("/applets/**").addResourceLocations("/applets/");
registry.addResourceHandler("/manager/**").addResourceLocations("/manager/");
registry.addResourceHandler("/resources/**").addResourceLocations("/resources/");
}
And finaly my WebSecurityConfig
@Override
public void configure(WebSecurity web) throws Exception {
web
.ignoring()
.antMatchers("/webjars/**");
}
@Override protected void configure(final HttpSecurity http) throws Exception {
LOGGER.info("Initialization HTTP configuration");
http
.csrf().disable()
.addFilterBefore(authenticationFilter(), UsernamePasswordAuthenticationFilter.class)
.authorizeRequests().antMatchers("/login", "/asset/**","/privileged/**").permitAll()
.anyRequest().authenticated()
.and().formLogin().loginPage("/login")
.defaultSuccessUrl("/home")
.successHandler(customAuthenticationSuccessHandler)
.permitAll();
}
Like you can see I already added the exception in the Security config. I also try this config
.antMatchers("/login", "/asset/**","/privileged/**","/webjars/**").permitAll()
But without success someone have any idea.
UPDATE The configuration of the resourceHandler and ResourceLocations are correct. In fact after login webjars works correctly
The problem is not related to Spring Security.
The guilty is an old custom security layer that will be totally replaced by Spring security in the future.