Spring security antMatcher not working as expected

Question

I have my custom controller "/my-endpoint" and spring app with the following configuration:

    @Override
    public void configure(HttpSecurity http) throws Exception {
        http
                .authorizeRequests()
                .antMatchers("/my-endpoint", "/health")
                .permitAll()
                .antMatchers(DENY_RESOURCE_PATTERNS)
                .denyAll()
                .anyRequest()
                .authenticated()

    }

It seems that for a unanimous user it working fine. But if I already authorized (using oauth2) and my session(or token) is expired -> spring trying to redirect me to the login page.

I don't want this, I want to allow any user to connect to "/my-endpoint" endpoint.

What I forgot to configure?

The interesting thing, that built-in endpoint "/health" working as expected, even if session is expired.

@chaoluo, its my custom controller, it just return static json object — Vololodymyr, Sep 17 '19 at 11:30

score 2 · Accepted Answer · answered Sep 17 '19 at 16:20

you can use configure(WebSecurity web). It will bypass the Spring Security Filters and will allow any user to access the endpoint. see HttpSecurity vs WebSecurity

@Override
    public void configure(WebSecurity web) throws Exception {
        web
          .ignoring()
            .antMatchers(HttpMethod.yourMethod, "/health")
            .antMatchers(HttpMethod.yourMethod, "/my-endpoint");
    }

Spring security antMatcher not working as expected

1 Answers1