DEV Community

Cover image for How to disable Spring Security for static resources
JavaFullStackDev.in
JavaFullStackDev.in

Posted on

How to disable Spring Security for static resources

To disable Spring Security for static resources in a Spring Boot application, you can configure Spring Security to ignore specific paths or patterns. Here are the steps:

  1. Configure Spring Security to Ignore Static Resources: You can use the WebSecurityCustomizer to ignore specific paths or patterns. For example, to ignore all requests to the /static/** path, you can add the following configuration:
   @Configuration
   @EnableWebSecurity
   public class SecurityConfig extends WebSecurityConfigurerAdapter {
       @Override
       public void configure(WebSecurity web) {
           web.ignoring().antMatchers("/static/**");
       }
   }
Enter fullscreen mode Exit fullscreen mode
  1. Using requestMatchers in Spring Security 6: If you are using Spring Security 6, you need to use requestMatchers instead of antMatchers. Here is an example:
   @Configuration
   @EnableWebSecurity
   public class SecurityConfig extends WebSecurityConfigurerAdapter {
       @Override
       public void configure(WebSecurity web) {
           web.ignoring().requestMatchers(PathRequest.toStaticResources());
       }
   }
Enter fullscreen mode Exit fullscreen mode
  1. Customizing Resource Handling: You can also customize how static resources are handled by Spring Boot by configuring the ResourceHandlerRegistry in a WebMvcConfigurer implementation:
   @Configuration
   public class WebConfig implements WebMvcConfigurer {
       @Override
       public void addResourceHandlers(ResourceHandlerRegistry registry) {
           registry.addResourceHandler("/static/**")
                   .addResourceLocations("classpath:/static/")
                   .setCachePeriod(3600)
                   .resourceChain(true)
                   .addResolver(new VersionResourceResolver().addContentVersionStrategy("/**"));
       }
   }
Enter fullscreen mode Exit fullscreen mode
  1. Using Cache-Control Headers: If you need to set specific Cache-Control headers for static resources, you can do so by setting the headers directly in the HttpServletResponse from a controller method:
   @Controller
   public class MyController {
       @RequestMapping(...)
       public String myMethod(HttpServletResponse response) {
           response.setHeader("Cache-Control", "max-age=14400");
           // ...
       }
   }
Enter fullscreen mode Exit fullscreen mode

By following these steps, you can ensure that Spring Security does not interfere with the serving of static resources in your Spring Boot application.

Citations:
[1] https://stackoverflow.com/questions/76097411/how-can-i-configure-spring-security-6-to-ignore-the-static-resources-folder
[2] https://www.codejava.net/frameworks/spring-boot/spring-security-allow-static-resources
[3] https://www.geeksforgeeks.org/serve-static-resources-with-spring/
[4] https://www.reddit.com/r/javahelp/comments/125ds72/spring_security_not_allowing_static_folder_access/
[5] https://stackoverflow.com/questions/33214501/how-to-add-cache-control-header-to-static-resource-in-spring-boot

Do your career a big favor. Join DEV. (The website you're on right now)

It takes one minute, it's free, and is worth it for your career.

Get started

Community matters

Top comments (0)

The Most Contextual AI Development Assistant

Pieces.app image

Our centralized storage agent works on-device, unifying various developer tools to proactively capture and enrich useful materials, streamline collaboration, and solve complex problems through a contextual understanding of your unique workflow.

đź‘Ą Ideal for solo developers, teams, and cross-company projects

Learn more

đź‘‹ Kindness is contagious

Immerse yourself in a wealth of knowledge with this piece, supported by the inclusive DEV Community—every developer, no matter where they are in their journey, is invited to contribute to our collective wisdom.

A simple “thank you” goes a long way—express your gratitude below in the comments!

Gathering insights enriches our journey on DEV and fortifies our community ties. Did you find this article valuable? Taking a moment to thank the author can have a significant impact.

Okay