So I was playing around with a little Spring Security and trying to piece together a registration/signup page. I didn’t really want to deal with authenticating users or any of the pieces that might get in my way in that regard so I attempted to just allow my requests (GETs and POSTs) directly through to my registration page Controller which would handle both. Seems easy enough, right?
I went about setting up my class annotated with @EnableWebSecurity and extended the WebSecurityConfigurerAdapter class. I overrided (overrode?) the “configure” method of this class and put a “permitAll()” on an antMatch of “/registration” – which the Controller was mapped to handle and proceeded to “GET” the form for registration.
The “configure” method looked like this:
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/resources/**", "/registration", "/css/**").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.permitAll()
.and()
.logout()
.permitAll();
}
The GET request was going through to the controller and returning the view, but the POST action from the form contained in the registration page was receiving a 302 and was redirecting to the non-existent login page.
I searched around to find out what was going on since I’m not well-versed in Spring Security. I looked into what exactly “permitAll” was doing and how it compared to trying to disable autoconfigured filters and things like that. I came upon this Baeldung article which said:
This is achieved without disabling the security filters – these still run, so any Spring Security related functionality will still be available.
This made me wonder… what are the security filters that are magically put in place by the Spring Security setup by default..?
I then found this very helpful Baeldung article which allowed me to get a look at what filters were working and what they were doing.
You change the declaration of your Security Config class like so:
@EnableWebSecurity(debug = true)
and set your logging level so:
logging.level.org.springframework.security.web.FilterChainProxy=DEBUG