fix: custom CSS is shown on unauthenticated pages (#15110) (#15496)

(cherry picked from commit 2078920)
dhis2 · Oct 26, 2023 · e16535d · e16535d
1 parent 0a63f24
commit e16535d
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 8 deletions.
diff --git a/...b-api/src/main/java/org/hisp/dhis/webapi/security/config/DhisWebApiWebSecurityConfig.java b/...b-api/src/main/java/org/hisp/dhis/webapi/security/config/DhisWebApiWebSecurityConfig.java
@@ -434,6 +434,12 @@ private void configureAccessRestrictions(
           // migrated
           .antMatchers("/index.html")
           .permitAll()
+          .antMatchers("/external-static/**")
+          .permitAll()
+          .antMatchers("/favicon.ico")
+          .permitAll()
+          .antMatchers("/oauth2/**")
+          .permitAll()
           .antMatchers(apiContextPath + "/authentication/login")
           .permitAll()
           .antMatchers(apiContextPath + "/account/recovery")
@@ -442,12 +448,16 @@ private void configureAccessRestrictions(
           .permitAll()
           .antMatchers(apiContextPath + "/account")
           .permitAll()
-          .antMatchers(apiContextPath + "/staticContent/*")
+          .antMatchers(apiContextPath + "/staticContent/**")
           .permitAll()
-          .antMatchers(apiContextPath + "/externalFileResources/*")
+          .antMatchers(apiContextPath + "/externalFileResources/**")
           .permitAll()
           .antMatchers(apiContextPath + "/icons/*/icon.svg")
           .permitAll()
+          .antMatchers(apiContextPath + "/files/style/external")
+          .permitAll()
+          .antMatchers(apiContextPath + "/publicKeys/**")
+          .permitAll()
           .anyRequest()
           .authenticated()
           .accessDecisionManager(apiAccessDecisionManager());

diff --git a/...-commons/src/main/java/org/hisp/dhis/security/config/DhisWebCommonsWebSecurityConfig.java b/...-commons/src/main/java/org/hisp/dhis/security/config/DhisWebCommonsWebSecurityConfig.java
@@ -149,8 +149,6 @@ protected void configure(HttpSecurity http) throws Exception {
           .permitAll()
           .antMatchers("/impersonate")
           .hasAnyAuthority("ALL", "F_IMPERSONATE_USER")
-          .antMatchers("/api/staticContent/**")
-          .permitAll()
           .antMatchers("/dhis-web-commons/oidc/**")
           .permitAll()
           .antMatchers("/dhis-web-commons/javascripts/**")
@@ -161,14 +159,10 @@ protected void configure(HttpSecurity http) throws Exception {
           .permitAll()
           .antMatchers("/dhis-web-commons/fonts/**")
           .permitAll()
-          .antMatchers("/api/files/style/external")
-          .permitAll()
           .antMatchers("/external-static/**")
           .permitAll()
           .antMatchers("/favicon.ico")
           .permitAll()
-          .antMatchers("/api/publicKeys/**")
-          .permitAll()
           // Dynamic content
           .antMatchers("/dhis-web-commons/i18nJavaScript.action")
           .permitAll()