How to disable DefaultSecurityFilterChain in a Spring Boot app?

Question

In my Spring Boot application, I have:

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    ...
    @Override
    protected void configure(HttpSecurity httpSecurity)
        throws Exception 
    {
        httpSecurity
            .authorizeRequests()
            // various GET/POST path enable rules, none of which would enable access to default ones (see log below)
            ...
            // finally, deny everything else
            .antMatchers("/**").denyAll()
            ...
    }
}

At startup, the log shows:

2016-01-29 13:20:49.379  INFO 8044 --- [ost-startStop-1] o.s.s.web.DefaultSecurityFilterChain     : Creating filter chain: OrRequestMatcher [requestMatchers=[Ant [pattern='/css/**'], Ant [pattern='/js/**'], Ant [pattern='/images/**'], Ant [pattern='/**/favicon.ico'], Ant [pattern='/error']]], []

and I can access, for example, localhost:8080/blah/favicon.ico even though I would expect it to be blocked.

I tried to follow recommendations in Security configuration with Spring-boot and Spring Security exclude url patterns in security annotation configurartion.

Per docs at http://docs.spring.io/spring-boot/docs/current-SNAPSHOT/reference/htmlsingle/#boot-features-security, I also tried setting security.ignored to various paths, as well as annotating the above class with @Order(SecurityProperties.ACCESS_OVERRIDE_ORDER), all to no avail.

Is there a simple way to disable the DefaultSecurityFilterChain so that it does not add these ignored (insecure) paths for common static resource locations?

If not, what is the proper configuration, either in Java or in application.properties, to disable these paths?

---

OK, so there are two ways to do it:

In application.properties, set security.ignored=none.

Or, create the following class:

@Component
public class CustomSecurityProperties extends SecurityProperties {
    public CustomSecurityProperties() {
        // the default list is empty
        List<String> ignoredPaths = getIgnored();
        ignoredPaths.add("none");
    }
}

A hint for the magic none came from lines 121-130 of SpringBootWebSecurityConfiguration at https://github.com/spring-projects/spring-boot/blob/master/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/SpringBootWebSecurityConfiguration.java

Either solution still leaves the following in the log:

2016-01-29 17:53:12.830  INFO 3008 --- [           main] o.s.w.s.handler.SimpleUrlHandlerMapping  : Mapped URL path [/**/favicon.ico] onto handler of type [class org.springframework.web.servlet.resource.ResourceHttpRequestHandler]

This indicates that a ResourceHttpRequestHandler is created to serve the favicon.ico file. However, /blah/favicon.ico can no longer be accessed.

Answer 1

In your last antmatcher to be denied have specific urls withour having the single slash which will block all endpoints