Spring Security “Refused to execute script from …”

Spring Security “Refused to execute script from …”

I’m building a Spring MVC application with Spring Security and Bootstrap in my HTML files (thymeleaf templates). The Spring Security part is based on the Spring Guide for Spring Security and combined with a Spring Boot application server.
After enabling Spring Security the bootstrap css file won’t load with the error message:
Refused to execute script from ‘http://localhost:8080/js/bootstrap.min.js’ because its MIME type (‘text/html’) is not executable, and strict MIME type checking is enabled.

The error message above comes from the chrome developer console.
What I’ve tried:

Disabling the Spring Security
=> bootstrap css works again, but I need the security
Searching on the spring forums, but theres a looped link without a solution
Adding a resources handler, but I can’t see that the handler is invoked nor the error disappears
Adding the resources path to the permit call

My dir structure:
/main
|-> /java
| BootStart.java
|-> /security
|SecurityConfiguration.java
|-> /resources
|-> /static
|-> /css /** bootstrap location */
|-> /js
|-> /fonts
|-> /templates
| /user
| sample.html

Related:  How to use HTML5shiv correctly… how work on IE 9, Firefox, Safari?

BootStart.java is the java file that gets picked up by Spring Boot.
BootStart.java:
@EnableAutoConfiguration
@ComponentScan
public class BootStart {
public static void main(String[] args) {
SpringApplication.run(BootStart.class, args);
}
}

SecurityConfiguration.java:
@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.formLogin()
.loginPage(“/login”)
.permitAll()
.and()
.logout()
.permitAll();
http
.authorizeRequests()
.antMatchers(“/”, “/resources/static/**”).permitAll()
.anyRequest().authenticated();

}

@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.withUser(“user”).password(“password”).roles(“USER”);
}
}

Sample.html:







Currently I’m using the following dependencies in my pom:

org.springframework.boot
spring-boot-starter-thymeleaf


org.springframework.security
spring-security-core
3.2.4.RELEASE


org.springframework.security
spring-security-web
3.2.4.RELEASE


org.springframework.security
spring-security-config
3.2.4.RELEASE

How must I configure Spring Security that I can load css/ js files from my /static resources directory?

Solutions/Answers:

Solution 1:

Please check this answer by other with similar question.

If you place js files in /js/ dir, there should not that kind of MIME error.
And, for javascript files, it is better to disable security for them:

@Override
public void configure(WebSecurity web) throws Exception {
  web.ignoring().antMatchers("/the_js_path/**");
}

Solution 2:

I had the same error too with the same folder structure, it was on the css file.

Related:  With Bootstrap, how do I show radio inputs as buttons?

All I did is added /css/** in antMatcher() as below:

@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {

    httpSecurity
        .authorizeRequests()
            .antMatchers("/css/**").permitAll() //Adding this line solved it
            .anyRequest().fullyAuthenticated()
            .and()
        .formLogin()
            .loginPage("/login").permitAll()
            .loginProcessingUrl("/sign-in")
            .defaultSuccessUrl("/home")
            .failureUrl("/error")
            .and()
        .logout()
            .logoutSuccessUrl("/logout")
            .permitAll()
            .and()
        .csrf().disable();

}

In your case just add /js/** in the antMatcher() and then use permitAll()

Solution 3:

I had the same error after adding a new method to a controller.

I forgot to provide a value for the @GetMapping annotation and the @Controller itself was not bound to any URL. Wierdly enough adding @GetMapping("/foo") to my method solved the problem. I still haven’t figured out why that happened but I’m planning to find out.

Solution 4:

I used this to resolved my problem, you may try this

@Override
public void configure(WebSecurity web) throws Exception {
    web.ignoring().antMatchers("/resources/**");
}

Hope it help.

Solution 5:

when we use “permitall()” or anyrequest() then it enable Mime check so i specify all url listing which use to be accecs.

Solution 6:

I removed any comments from the beginning of the css file and it works.

Related:  Hiding elements in responsive layout?

References