Generator-jhipster: Allow Anonymous Access To An Entity, 401 Error

Created on 24 Jan 2016  路  2Comments  路  Source: jhipster/generator-jhipster

I'm trying to generate a page that users can see without being logged in, i.e., for anonymous access. It is unclear from the documentation on how to accomplish this.

To access an entity anonymous, the Jhipster documentation states:

Authorizations...
For each state, the required authorities are listed in the state鈥檚 data, and when the authority list is empty it means that the state can be accessed anonymously.

To accomplish this the 'roles:[]' element is left empty

.config(function ($stateProvider) {
    $stateProvider
        .state('show', {
            parent: '',
            url: '/show',
            data: {
                roles: [] // leave empty for anonymous
            },
            views: {
                'content@': {
                    templateUrl: 'show.html',
                    controller: 'ShowController'
                }
            },
            resolve: {
                aboutTranslatePartialLoader: ['$translate', '$translatePartialLoader', function ($translate, $translatePartialLoader) {
                    $translatePartialLoader.addPart('main');
                    return $translate.refresh();
                }]
            }
        });

This all works fine when logged in but when not logged in a 401 error is generated:
GET http://localhost:3000/api/current-schedule?cacheBuster=1453640970976 401 (Unauthorized)

The ShowController generates the 401 when accessing entity data. It is unclear how anonymous RESTful authentication can be configured for an endpoint. The app is configured for '"authenticationType": "xauth"'. I'd like to allow 'GET' for anonymous access on an entity but require ROLE_USER for all other access.

Thanks in advance for any suggestions.

picture b202i

Most helpful comment

The stateProvider only restricts client side access to a specific state. If you also want to open the API endpoint to the public, you have to enable access to it in java/config/SecurityConfiguration.

You can use .antMatchers("/api/**").permitAll() to allow anyone to access the API
If you only want to make a certain path accessible to everyone you can just add that. So for example, my API is still secured but I can have anonymous users search my Case Study entity: .antMatchers("/api/_search/case-studies").permitAll()

picture ruddell on 24 Jan 2016
👍3

All 2 comments

The stateProvider only restricts client side access to a specific state. If you also want to open the API endpoint to the public, you have to enable access to it in java/config/SecurityConfiguration.

You can use .antMatchers("/api/**").permitAll() to allow anyone to access the API
If you only want to make a certain path accessible to everyone you can just add that. So for example, my API is still secured but I can have anonymous users search my Case Study entity: .antMatchers("/api/_search/case-studies").permitAll()

ruddell picture ruddell on 24 Jan 2016
👍3

Perfect answer. Problem solved. Thanks!

b202i picture b202i on 24 Jan 2016
Was this page helpful?
0 / 5 - 0 ratings

Related issues

shivroy121 picture shivroy121  路  3Comments
RizziCR picture RizziCR  路  3Comments
Steven-Garcia picture Steven-Garcia  路  3Comments
tomj0101 picture tomj0101  路  3Comments
sdoxsee picture sdoxsee  路  4Comments