
Spring Security 6 .permitAll() not working

I'm bulding an API using Java 21, Spring boot 3 and spring security 6 authenticating in keycloak 22.

I have this code that configure my spring security:

public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
    CsrfTokenRequestAttributeHandler csrfRequestHandler = new CsrfTokenRequestAttributeHandler();

    return http
            .csrf(csrf -> csrf
            .authorizeHttpRequests(requests -> requests
            .oauth2ResourceServer(oauth2 -> oauth2
                    .jwt(jwt -> jwt


I also have this configuration pointing to my Keycloak to validate the token. security: oauth2: resourceserver: jwt: issuer-uri: 'http://localhost:8080/realms/core-creare'

I'm trying to bypass authentication in the path "/auth", but the .permitAll() its not working. When I do a post request in "/auth", return as 401 unauthorized.


  • I solved the problem! In my security filter chain I needed to ignore the /auth in CSRF config:

    return http
           .csrf(csrf -> csrf
           .authorizeHttpRequests(requests -> requests
                .requestMatchers(new AntPathRequestMatcher("/auth/**")).permitAll()
           .oauth2ResourceServer(oauth2 -> oauth2
                .jwt(jwt -> jwt