DEV Community

Cover image for How to disable Spring Security for static resources
JavaFullStackDev.in
JavaFullStackDev.in

Posted on

How to disable Spring Security for static resources

To disable Spring Security for static resources in a Spring Boot application, you can configure Spring Security to ignore specific paths or patterns. Here are the steps:

  1. Configure Spring Security to Ignore Static Resources: You can use the WebSecurityCustomizer to ignore specific paths or patterns. For example, to ignore all requests to the /static/** path, you can add the following configuration:
   @Configuration
   @EnableWebSecurity
   public class SecurityConfig extends WebSecurityConfigurerAdapter {
       @Override
       public void configure(WebSecurity web) {
           web.ignoring().antMatchers("/static/**");
       }
   }
Enter fullscreen mode Exit fullscreen mode
  1. Using requestMatchers in Spring Security 6: If you are using Spring Security 6, you need to use requestMatchers instead of antMatchers. Here is an example:
   @Configuration
   @EnableWebSecurity
   public class SecurityConfig extends WebSecurityConfigurerAdapter {
       @Override
       public void configure(WebSecurity web) {
           web.ignoring().requestMatchers(PathRequest.toStaticResources());
       }
   }
Enter fullscreen mode Exit fullscreen mode
  1. Customizing Resource Handling: You can also customize how static resources are handled by Spring Boot by configuring the ResourceHandlerRegistry in a WebMvcConfigurer implementation:
   @Configuration
   public class WebConfig implements WebMvcConfigurer {
       @Override
       public void addResourceHandlers(ResourceHandlerRegistry registry) {
           registry.addResourceHandler("/static/**")
                   .addResourceLocations("classpath:/static/")
                   .setCachePeriod(3600)
                   .resourceChain(true)
                   .addResolver(new VersionResourceResolver().addContentVersionStrategy("/**"));
       }
   }
Enter fullscreen mode Exit fullscreen mode
  1. Using Cache-Control Headers: If you need to set specific Cache-Control headers for static resources, you can do so by setting the headers directly in the HttpServletResponse from a controller method:
   @Controller
   public class MyController {
       @RequestMapping(...)
       public String myMethod(HttpServletResponse response) {
           response.setHeader("Cache-Control", "max-age=14400");
           // ...
       }
   }
Enter fullscreen mode Exit fullscreen mode

By following these steps, you can ensure that Spring Security does not interfere with the serving of static resources in your Spring Boot application.

Citations:
[1] https://stackoverflow.com/questions/76097411/how-can-i-configure-spring-security-6-to-ignore-the-static-resources-folder
[2] https://www.codejava.net/frameworks/spring-boot/spring-security-allow-static-resources
[3] https://www.geeksforgeeks.org/serve-static-resources-with-spring/
[4] https://www.reddit.com/r/javahelp/comments/125ds72/spring_security_not_allowing_static_folder_access/
[5] https://stackoverflow.com/questions/33214501/how-to-add-cache-control-header-to-static-resource-in-spring-boot

Image of Timescale

Timescale – the developer's data platform for modern apps, built on PostgreSQL

Timescale Cloud is PostgreSQL optimized for speed, scale, and performance. Over 3 million IoT, AI, crypto, and dev tool apps are powered by Timescale. Try it free today! No credit card required.

Try free

Top comments (0)

👋 Kindness is contagious

Dive into an ocean of knowledge with this thought-provoking post, revered deeply within the supportive DEV Community. Developers of all levels are welcome to join and enhance our collective intelligence.

Saying a simple "thank you" can brighten someone's day. Share your gratitude in the comments below!

On DEV, sharing ideas eases our path and fortifies our community connections. Found this helpful? Sending a quick thanks to the author can be profoundly valued.

Okay