How to Apply no filter on the specific end point

Question

I am using spring boot and spring security for web applications. I wanted to apply for no filter on my public API. Now what I am doing is the equality check on the path which is sent by the client and the path which I have hard code if it is equal then I am not applying the filter.

Code sample

protected boolean shouldNotFilter(HttpServletRequest request) throws ServletException {
    return request.getRequestURI().equals("api/v1/public/hello"));
}

But this approach is not a good way to do. As in, there can be multiple public endpoints and I can't put an equal check on each of them. I need a solution where I can have all my public endpoints in one place and when the request comes I simply have to check in that one place if it is present then no filter will be applied.

Answer 1

Assuming you are talking about the Spring Security Filters and you may want to expose some APIs publicly.

You may use configure(WebSecurity web) or configure(HttpSecurity http) method to achieve the goal. To prevent the filters to be applied you may use configure(WebSecurity web) method. This will omit the request pattern from the security filter chain entirely. Note that anything matching this path will then have no authentication or authorization services applied and will be freely accessible.

@Override
public void configure(WebSecurity web) throws Exception {
    web
        .ignoring()
        .antMatchers("api/v1/public/**");
} 

Answer 2

use antMatcher to exclude your public domain.

http.cors().and().csrf().disable().authorizeRequests()
    .antMatchers("api/v1/public/**", "/health").permitAll()
    .anyRequest()..authenticated();

Usually, closing your app for all and opening for the desired endpoint is the best security practice.