Recommendation for securing /monitoring while allowing access to boomerang.js

[danshome]

I'm trying to find recommendations for securing /monitoring while still allowing access to the URL parameter /monitoring?resource=boomerang.min.js. The documentation doesn't discuss this.

[evernat]

If you use the authorized-users or allowed-addr-pattern javamelody parameters for securing /monitoring, then you have nothing more to do : javamelody restricts access to /monitoring and already allows access to /monitoring?resource=boomerang.min.js.

If you use security-constraint in web.xml for securing /monitoring, I do not think that there is a solution to allow access to /monitoring?resource=boomerang.min.js.

If you use spring-security for securing /monitoring for example with the javamelody-spring-boot-starter, then you can secure /monitoring and allow access to /monitoring?resource=boomerang.min.js using a custom request matcher, that is something like:

@Configuration
@EnableWebSecurity
public class WebSecurityConfig {

	@Bean
	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
		http
			.authorizeHttpRequests(requests -> requests
				// custom request matcher to allow access to /monitoring?resource=boomerang.min.js
				.requestMatchers(request ->
					request.getRequestURI().equals(request.getContextPath() + "/monitoring")
					&& "boomerang.min.js".equals(request.getParameter("resource"))
				).permitAll()
				// request matcher to secure access to /monitoring
				.requestMatchers("/monitoring").hasAuthority("ROLE_MONITORING")
				// anything else as you want
				.anyRequest().authenticated()
			)
			...;

		return http.build();
	}
}

[evernat]

Of course, you need access to boomerang.min.js only if you use the Real User Monitoring