I am new to springboot and trying to implement security where no filters are applied to my login, signup and home urls.
I am using springboot 2.7.1
I am expecting antMatchers("/**/signup").permitAll() to remain free of any security filter.
Upon debugging, I found that my signup url was being hit and user details were saved, but my AuthorizationFilter was also being executed .
This is my SecurityFilterChain :
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
AuthenticationManagerBuilder authenticationManagerBuilder=http.getSharedObject(AuthenticationManagerBuilder.class);
authenticationManagerBuilder.userDetailsService(userLoginService).passwordEncoder(bCryptPasswordEncoder);
AuthenticationManager authenticationManager=authenticationManagerBuilder.build();
http.csrf().disable().authorizeHttpRequests()
.antMatchers("/**/login").permitAll()
.antMatchers("/**/signup").permitAll()
.antMatchers("/home/**").permitAll()
.anyRequest().authenticated().and()
.addFilter(getAuthenticationFilter(authenticationManager))
.addFilter(new AuthorizationFilter(authenticationManager))
.authenticationManager(authenticationManager)
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
return http.build();
}
I don't understand why is it happening this way.
When you use permitAll() you are not disabling the filters, you are just specifying that you do not want to apply any authorization checks for that RequestMatcher. All the filters will still work.
The AuthorizationFilter will be invoked but since you configure permitAll() for that endpoint, it will always grant access.