diff --git a/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/SpringBootWebSecurityConfiguration.java b/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/SpringBootWebSecurityConfiguration.java index 4a6e8536925..1358495c63f 100644 --- a/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/SpringBootWebSecurityConfiguration.java +++ b/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/SpringBootWebSecurityConfiguration.java @@ -88,7 +88,7 @@ import org.springframework.util.StringUtils; public class SpringBootWebSecurityConfiguration { private static List DEFAULT_IGNORED = Arrays.asList("/css/**", "/js/**", - "/images/**", "/**/favicon.ico"); + "/images/**", "/webjars/**", "/**/favicon.ico"); @Bean @ConditionalOnMissingBean({ IgnoredPathsWebSecurityConfigurerAdapter.class }) diff --git a/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/SecurityAutoConfigurationTests.java b/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/SecurityAutoConfigurationTests.java index e117dcab819..8c4f534ff37 100644 --- a/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/SecurityAutoConfigurationTests.java +++ b/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/SecurityAutoConfigurationTests.java @@ -90,9 +90,9 @@ public class SecurityAutoConfigurationTests { PropertyPlaceholderAutoConfiguration.class); this.context.refresh(); assertThat(this.context.getBean(AuthenticationManagerBuilder.class)).isNotNull(); - // 4 for static resources and one for the rest + // 5 for static resources and one for the rest assertThat(this.context.getBean(FilterChainProxy.class).getFilterChains()) - .hasSize(5); + .hasSize(6); } @Test diff --git a/spring-boot-docs/src/main/asciidoc/spring-boot-features.adoc b/spring-boot-docs/src/main/asciidoc/spring-boot-features.adoc index e8bf1062b57..b668fb722c3 100644 --- a/spring-boot-docs/src/main/asciidoc/spring-boot-features.adoc +++ b/spring-boot-docs/src/main/asciidoc/spring-boot-features.adoc @@ -2181,7 +2181,7 @@ The basic features you get out of the box in a web application are: * An `AuthenticationManager` bean with in-memory store and a single user (see `SecurityProperties.User` for the properties of the user). * Ignored (insecure) paths for common static resource locations (`+/css/**+`, `+/js/**+`, - `+/images/**+` and `+**/favicon.ico+`). + `+/images/**+`, `+/webjars/**+` and `+**/favicon.ico+`). * HTTP Basic security for all other endpoints. * Security events published to Spring's `ApplicationEventPublisher` (successful and unsuccessful authentication and access denied).