Preventing spring-security to redirect invalid urls to login page

Question

I\'ve setup a spring-boot + spring-mvc + spring-security project.

Everything work as expected right now except for the invalid urls.

If I issue:

Answer 1

To customize your particular use case apply the inverted logic as suggested. You could do like this:

1) Replace

.anyRequest().authenticated()

by

.anyRequest().anonymous()

2) Add

.antMatchers("/protected-urls/**").authenticated()

The rule in 2) must come before that in 1) as the first match applies. Unless you have a common url prefix for protected resources you'll have to declare all the authenticated urls one by one.

You can also apply additional configuration overriding the

public void configure(WebSecurity web)...

for example to ignore static resources:

web.ignoring().antMatchers("/favicon.ico", "*.css")

Hope that helps.

Answer 2

This is a security feature, not a problem.

Your security model is "deny all unless explicitly allowed". If a request path is protected (i.e. doesn't match an explicitly permitAll path), then you would not want to reveal that it does not exist until the user was authenticated. In certain situations the 404 could leak private information

.../user/jones is 404? Hmm... something happened to Jones

This is the reason well designed login forms don't tell you "user not found" or "invalid password", and instead just say "invalid credentials" in all failure cases to avoid giving away too much.

The only way to get invalid URLs to bypass security would be to invert your security model, making everything public unless explicitly protected ("allow unless explicitly prohibited"). Which has its own set of issues, such as having to remember to update the definition every time a new root path is created.