DEV Community

Cover image for How to disable Spring Security for static resources
JavaFullStackDev.in
JavaFullStackDev.in

Posted on

How to disable Spring Security for static resources

To disable Spring Security for static resources in a Spring Boot application, you can configure Spring Security to ignore specific paths or patterns. Here are the steps:

  1. Configure Spring Security to Ignore Static Resources: You can use the WebSecurityCustomizer to ignore specific paths or patterns. For example, to ignore all requests to the /static/** path, you can add the following configuration:
   @Configuration
   @EnableWebSecurity
   public class SecurityConfig extends WebSecurityConfigurerAdapter {
       @Override
       public void configure(WebSecurity web) {
           web.ignoring().antMatchers("/static/**");
       }
   }
Enter fullscreen mode Exit fullscreen mode
  1. Using requestMatchers in Spring Security 6: If you are using Spring Security 6, you need to use requestMatchers instead of antMatchers. Here is an example:
   @Configuration
   @EnableWebSecurity
   public class SecurityConfig extends WebSecurityConfigurerAdapter {
       @Override
       public void configure(WebSecurity web) {
           web.ignoring().requestMatchers(PathRequest.toStaticResources());
       }
   }
Enter fullscreen mode Exit fullscreen mode
  1. Customizing Resource Handling: You can also customize how static resources are handled by Spring Boot by configuring the ResourceHandlerRegistry in a WebMvcConfigurer implementation:
   @Configuration
   public class WebConfig implements WebMvcConfigurer {
       @Override
       public void addResourceHandlers(ResourceHandlerRegistry registry) {
           registry.addResourceHandler("/static/**")
                   .addResourceLocations("classpath:/static/")
                   .setCachePeriod(3600)
                   .resourceChain(true)
                   .addResolver(new VersionResourceResolver().addContentVersionStrategy("/**"));
       }
   }
Enter fullscreen mode Exit fullscreen mode
  1. Using Cache-Control Headers: If you need to set specific Cache-Control headers for static resources, you can do so by setting the headers directly in the HttpServletResponse from a controller method:
   @Controller
   public class MyController {
       @RequestMapping(...)
       public String myMethod(HttpServletResponse response) {
           response.setHeader("Cache-Control", "max-age=14400");
           // ...
       }
   }
Enter fullscreen mode Exit fullscreen mode

By following these steps, you can ensure that Spring Security does not interfere with the serving of static resources in your Spring Boot application.

Citations:
[1] https://stackoverflow.com/questions/76097411/how-can-i-configure-spring-security-6-to-ignore-the-static-resources-folder
[2] https://www.codejava.net/frameworks/spring-boot/spring-security-allow-static-resources
[3] https://www.geeksforgeeks.org/serve-static-resources-with-spring/
[4] https://www.reddit.com/r/javahelp/comments/125ds72/spring_security_not_allowing_static_folder_access/
[5] https://stackoverflow.com/questions/33214501/how-to-add-cache-control-header-to-static-resource-in-spring-boot

Top comments (0)