Make JSF resources publicly accessible with Spring Security

Question

I have implemented spring security in my jsf application. Everything is working fine except static resources require authentication. This is my configuration

Answer 1

JSF managed library resources are served from the /javax.faces.resource/** path. So you need to make that path publicly accessible:

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.csrf().disable();

    http.authorizeRequests()
        .antMatchers("/register", "/javax.faces.resource/**").permitAll()
        .antMatchers("/**").authenticated()
        .and().formLogin().loginPage("/login").permitAll()
        .usernameParameter("username").passwordParameter("password")
        .and().exceptionHandling().accessDeniedPage("/Access_Denied");
}

You might also want those resources to be cached by the browser. Then, add this piece to your configuration, which adds a header writer for each of the responses that match a request for /javax.faces.resource/**:

http.headers()
        .addHeaderWriter(new DelegatingRequestMatcherHeaderWriter(
                new AntPathRequestMatcher("/javax.faces.resource/**"),
                new HeaderWriter() {

                    @Override
                    public void writeHeaders(HttpServletRequest request,
                            HttpServletResponse response) {
                        response.addHeader("Cache-Control", "private, max-age=86400");
                    }
                }))
        .defaultsDisabled();

See also:

• What is the JSF resource library for and how should it be used?