I am working on Spring Boot security 3.2.1 and implemented JWT Authentication in my project. However, now I am not able to get my HTML pages which were working earlier. I have added these resource path in my Spring Security Config class but still it is returning me 403. Before implementing Spring Security, I was able to get my html files using URL - http://localhost:8080/expensemanager/html/application.html
Here is my Project Structure
Here is my Security Config class
@Configuration
@EnableWebSecurity
@RequiredArgsConstructor
public class SecurityConfiguration {
private final JwtAuthenticationFilter jwtAuthenticationFilter;
private final UserDetailsService userDetailsService;
@Bean
SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
.csrf(AbstractHttpConfigurer::disable)
.authorizeHttpRequests(request -> { request
// Registration Controller
.requestMatchers("/registration/validateuserid").permitAll()
.requestMatchers("/registration/registeruser").permitAll()
// Auth Controller
.requestMatchers("/auth/createtoken").permitAll()
.requestMatchers("/auth/refreshtoken").hasAnyAuthority(Role.ADMIN.name(), Role.USER.name())
// Master Controller
.requestMatchers("/master/**").permitAll()
// Resource Controller
.requestMatchers("/login").permitAll()
.requestMatchers("/registration").permitAll()
.requestMatchers("/application").permitAll()
.requestMatchers("/report").permitAll()
// Report Controller
.requestMatchers("/report/**").hasAuthority(Role.ADMIN.name())
// Expense Controller
.requestMatchers("/expense/**").hasAnyAuthority(Role.ADMIN.name(), Role.USER.name())
.anyRequest().authenticated();
})
.sessionManagement(manager -> {
manager.sessionCreationPolicy(SessionCreationPolicy.STATELESS);
})
.authenticationProvider(authenticationProvider()).addFilterBefore(jwtAuthenticationFilter, UsernamePasswordAuthenticationFilter.class);
return http.build();
}
@Bean
AuthenticationProvider authenticationProvider() {
DaoAuthenticationProvider authProvider = new DaoAuthenticationProvider();
authProvider.setUserDetailsService(userDetailsService);
authProvider.setPasswordEncoder(passwordEncoder());
return authProvider;
}
@Bean
PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Bean
AuthenticationManager authenticationManager(AuthenticationConfiguration configuration) throws Exception {
return configuration.getAuthenticationManager();
}
}
And Here is my Controller Class serving html files,
@RestController
@RequestMapping("/")
public class ResourceController {
@GetMapping("/login")
public ModelAndView getLoginPage() {
ModelAndView modelAndView = new ModelAndView();
modelAndView.setViewName("html/login.html");
return modelAndView;
}
@GetMapping("/registration")
public ModelAndView getRegistrationPage() {
ModelAndView modelAndView = new ModelAndView();
modelAndView.setViewName("html/registration.html");
return modelAndView;
}
@GetMapping("/application")
public ModelAndView getApplicationPage() {
ModelAndView modelAndView = new ModelAndView();
modelAndView.setViewName("html/application.html");
return modelAndView;
}
@GetMapping("/report")
public ModelAndView getReportPage() {
ModelAndView modelAndView = new ModelAndView();
modelAndView.setViewName("html/report.html");
return modelAndView;
}
}
And here is the response.
Any help is really appreciated.
I was able to fix this by following the guide here https://docs.spring.io/spring-security/reference/servlet/authorization/authorize-http-requests.html
Added below code in SpringSecurityConfig