Disable Spring Security for Options Http Method

Disable Spring Security for OPTIONS Http Method

Have you tried this

You can use multiple elements to define different
access requirements for different sets of URLs, but they will be
evaluated in the order listed and the first match will be used. So you
must put the most specific matches at the top. You can also add a
method attribute to limit the match to a particular HTTP method (GET,
POST, PUT etc.).

<http auto-config="true">
<intercept-url pattern="/client/edit" access="isAuthenticated" method="GET" />
<intercept-url pattern="/client/edit" access="hasRole('EDITOR')" method="POST" />
</http>

Above means you need to select the url pattern to intercept and what methods you want

Disable HTTP OPTIONS method in spring boot application

Previous answer is for tomcat only, so adding mine as well. You can disable the method cross-container by, for example, using a standard servlet filter:

import java.io.IOException;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.springframework.stereotype.Component;
import org.springframework.web.filter.OncePerRequestFilter;

@Component
public class MethodFilter extends OncePerRequestFilter {

@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
throws ServletException, IOException {
if (request.getMethod().equals("OPTIONS")) {
response.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED);
} else {
filterChain.doFilter(request, response);
}
}
}

Note: it is assumed that this class is componentscanned by Spring. If not, you can use other registration methods as detailed in here.

How to disable basic http auth for OPTIONS with SpringBoot Security

In the method

@Override
protected void configure(HttpSecurity http) throws Exception
{

add

.antMatchers(HttpMethod.OPTIONS, "/path/to/skip/check").permitAll()

How to disable spring security for particular url

When using permitAll it means every authenticated user, however you disabled anonymous access so that won't work.

What you want is to ignore certain URLs for this override the configure method that takes WebSecurity object and ignore the pattern.

@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/api/v1/signup");
}

And remove that line from the HttpSecurity part. This will tell Spring Security to ignore this URL and don't apply any filters to them.

How does .headers().frameOptions().disable() work?

First, let's look at the X-Frame-Options response header.

This header can be used to indicate whether or not a browser should be allowed to render a page in a <frame> or <iframe>.

Sites can use this to avoid Clickjacking attacks, by ensuring that their content is not embedded into other sites.

Spring Security sets the X-Frame-Options response header to DENY by default.

This tells the browser that the page cannot be displayed in a frame, regardless of the site attempting to do so.

Since the H2 console UI is using <frame> elements, these will not be rendered and you will see the error screen that you shared in your question.

Spring Security allows you to customise this behaviour using .headers().frameOptions() in the Security DSL.

If you choose to disable the X-Frame-Options header (not recommended) by setting .headers().frameOptions().disable(), then Spring Security will not add the X-Frame-Options header to the response.

This means your application could be rendered in a frame, and also could be vulnerable to Clickjacking attacks.

Instead of disabling it, it is sufficient to set X-Frame-Options to SAMEORIGIN, for this use case.

http
.headers(headers -> headers
.frameOptions(frameOptions -> frameOptions
.sameOrigin()
)
)

This tells the browser that the page can only be displayed in a frame on the same origin as the page itself.

Since the frames in the H2 console UI (such as http://localhost:8080/h2-console/tables.do) are on the same origin as the the H2 console (http://localhost:8080/h2-console), the browser will allow them to be displayed.

However, if a different (potentially malicious) website tried to embed one the pages, the browser would not allow it.



Related Topics



Leave a reply



Submit