I am using Spring Boot 3 for my REST application and want to exclude some REST Endpoints from Authorization.
Take this REST Controller as an example:
@RestController
@RequestMapping("/api/rest/products")
class ProductController { ... }
My Security config looks like this:
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) {
http.authorizeHttpRequests(authorize -> authorize.
requestMatchers("/api/rest/products").permitAll()
.anyRequest().authenticated()
);
...
}
But this doesn't work. The /products endpoint still demands an Authorization Header. It only works when I provide a regex like this:
requestMatchers("**").permitAll()
Now all endpoints won't require the Auth header. What am I doing wrong? I haven't yet found a proper string to only exclude the /products endpoint.
If you want to exclude some of the REST endpoints from authorization, I would suggest using the WebSecurityCustomizer in your configuration file. Once you manually add the WebSecurityCustomizer, the bean will be automatically used by the WebSecurityConfiguration. I have added a sample code example below.
@Bean
public WebSecurityCustomizer ignoringCustomizer() {
return (web) -> web.ignoring().requestMatchers("/ignore1", "*/ignoreRequest");
}