Spring Boot serving static content blocked by security

Question

I started Spring Boot + Angular application and for now I want to deploy whole thing as a jar. So I created maven config, where angular app gets built and then is copied to /target/classes/resources

But every request to root (localhost:8080) gets blocked by security. When I disable it i can see the page, which means the whole thing is deployed correctly, but somehow spring does not allow me to see it. Here is my simple security config, I want static resources to be unprotected, while any other request requires authentication:

@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                .requestMatchers(PathRequest.toStaticResources().atCommonLocations()).permitAll()
                .anyRequest().authenticated()
                .and().httpBasic();
    }
}

EDIT: A minimal example of my problem is here: https://gitlab.com/jnowacki/security-issue-demo

EDIT 2: I tries all the things from this post: Serving static web resources in Spring Boot & Spring Security application Do I do something wrong on a conceptual level? Is it wrong to serve static content along with Spring Boot app?

Answer 1

Add this additional override:

@Override
public void configure(WebSecurity web) throws Exception {
    web.ignoring()
            .antMatchers(AUTH_WHITELIST);
}

where AUTH_WHITELIST will contain the paths to be ignored. For instance:

private static final String[] SWAGGER_AUTH_WHITELIST = {
        // -- swagger ui
        "/v2/api-docs",
        "/swagger-resources",
        "/swagger-resources/**",
        "/swagger-ui.html",
        "/resources/**"
};

Answer 2

try below.

@Override
public void configure(WebSecurity web) throws Exception {
    web
    .ignoring()
    .antMatchers("/resources/**");
}

Refer spring-securitys-antmatcher