Description
WebSecurityConfigurerAdapter
provide us two methods configure(WebSecurity web) and configure(HttpSecurity http) to configure the security as required.
Let's consider the below code, we can ignore the authentication for the endpoint provided within antMatchers using both the methods. According to the answers on StackOverflow,
- configure(WebSecurity web)
Endpoint used in configure(WebSecurity web) method ignores the spring security filters, security features (secure headers, csrf protection etc) are also ignored and no security context will be set and can not protect endpoints for Cross Site Scripting, XSS attacks, content-sniffing.
- configure(HttpSecurity http)
Endpoint used in configure(HttpSecurity http) method ignores the authentication for endpoints used in antMatchers and other security feature will be in effect such as secure headers, csrf protection etc.
- Can we add more details on when should someone use WebSecurity and HttpSecurity for endpoints that do not require authentication.
- How they actually make a difference and works
@Override
public void configure(WebSecurity web) throws Exception {
web
.ignoring()
.antMatchers("/login", "/register", "/api/public/**");
}
@Override
public void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.antMatchers("/login", "/register", "/api/public/**).permitAll()
.anyRequest().authenticated();
}