1

I'm trying out Spring Boot for the first time and I'm stuck with an error 403 that I can't figure out how to get around

I've created an admin page using thymeleaf:

<!DOCTYPE HTML>
<html xmlns:th="http://www.thymeleaf.org">
<head>
    <title>The Link Application</title>
    <link rel="stylesheet" href="css/bootstrap.min.css"/>
</head>
<body>

<nav class="navbar navbar-default">
    <div class="container-fluid">

        <div class="navbar-header">
            <button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#bs-example-navbar-collapse-1" aria-expanded="false">
                <span class="sr-only">Toggle Navigation</span>
                <span class="icon-bar"></span>
                <span class="icon-bar"></span>
                <span class="icon-bar"></span>
            </button>
            <a class="navbar-brand" href="#">
                <img src="img/Company-logo-sm-header.png" />
            </a>
        </div>
    </div>
</nav>

...

The CSS loads perfectly and is located at src/main/resources/static/css, the image that's giving me the error 403 is located at src/main/resources/static/img

This is my Application class:

@Configuration
@ComponentScan
@EnableAutoConfiguration
public class Application {

  public static void main(String[] args) throws Exception {
    SpringApplication.run(Application.class, args);
  }

}

I've got an MVC Config class:

@Configuration
public class MvcConfig extends WebMvcConfigurerAdapter {

  @Override
  public void addViewControllers(ViewControllerRegistry registry) {
    registry.addViewController("/home").setViewName("home");
    registry.addViewController("/").setViewName("home");
    registry.addViewController("/hello").setViewName("hello");
    registry.addViewController("/login").setViewName("login");
  }

}

And a security config which I'm not sure if I'm using it correctly, antMatchers(...).permitAll() to me seems like it should allow images:

@Configuration
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
public class SecurityConfig extends WebSecurityConfigurerAdapter {

  @Override
  protected void configure(HttpSecurity http) throws Exception {

    http
        .authorizeRequests()
          .antMatchers("/public/**", "/resources/**","/resources/public/**").permitAll()
          .antMatchers("/", "/home", "/link").permitAll()
          .antMatchers("/css/**", "/js/**", "/img/**", "**/favicon.ico").anonymous()
          .antMatchers("/admin").hasRole("ADMIN")
        .anyRequest().authenticated().and()
        .formLogin().loginPage("/login").permitAll().and()
        .logout().permitAll();
  }

  @Override
  public void configure(AuthenticationManagerBuilder auth) throws Exception {
    auth
        .inMemoryAuthentication()
        .withUser("admin").password("admin").roles("USER", "ADMIN").and()
        .withUser("user").password("user").roles("USER");
  }

}

I'm using Spring Boot 1.3.3 I don't have a public directory in /src/main/resources, all my static content is going into /src/main/resources/static, css is going into the css subfolder, js is going into the js subfolder and they both work fine when doing <link rel="stylesheet" href="css/bootstrap.min.css"/> or <script src="js/jquery-2.2.1.min.js"></script>

Any idea why my image in /src/main/resouces/static/img is giving me an error 403 and the CSS in /src/main/resouces/static/css and JS in /src/main/resouces/static/js are not?

Improve this question

2 Answers 2

Reset to default
3

I think it's just your security config that needs work.

You don't need this line since that's just where the static assets are being served from. It's not a path that will be accessible.

.antMatchers("/public/**", "/resources/**","/resources/public/**").permitAll()

As for this line, try change .anonymous() to .permitAll() and you should be able to access the images.

.antMatchers("/css/**", "/js/**", "/img/**", "**/favicon.ico").anonymous()
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Great stuff, that works! What does the anonymous() do? permitAll() I can see is allowing all requests, anonymous I'm not clear about.
I've never used it myself in any app I've written, but you can consider anonymous authentication as an actual user with certain limitations.
0

I want to add some additions to above Patrick answer, the answer helped me, but there was another my mistake. When I add 

.antMatchers("/assets/css/**", "/assets/js/**", "/assets/img/**", "**/favicon.ico").permitAll();

error code with 403 changed to 404. Because I forgot to add 

@Override
public void addResourceHandlers(ResourceHandlerRegistry registry) {
    registry.addResourceHandler("/assets/**").addResourceLocations("/assets/");
}

I found this from another source. I hope somebody else will not repeat my mistake.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.