Spring security not working for additional post url

Question

I didn't find a satisfying answer for this issue.

I have a security configuration that has been working well until now.

I want to add one more POST url, that will be allowed to access by all.

While the other excluded url's are working well, The added extra added one does not work.

My code:

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.cors()
        .and()
        .csrf().disable()
        .authorizeRequests()
        .antMatchers(HttpMethod.POST, "/ws/**").authenticated()
        .antMatchers(HttpMethod.DELETE, "/**").authenticated()
        .antMatchers(HttpMethod.OPTIONS, "/**").permitAll()
        .antMatchers(HttpMethod.GET, "/ws/getEvents").permitAll()// ---> While this is working
        .antMatchers(HttpMethod.POST, "/ws/persons/createNotificationsSubscriber*").permitAll()// -->this not working
        .anyRequest().authenticated()
        .and()
        .logout()
        .logoutSuccessUrl("http://localhost:3006/eventsMainView")
        .and()
        .csrf().disable()
        .httpBasic();
}

Ayush · Accepted Answer · 2021-07-15T00:03:52.767

The issue here is

.antMatchers(HttpMethod.POST, "/ws/**").authenticated()

Says authenticate all URL which starts from /ws with POST request but

.antMatchers(HttpMethod.POST,"/ws/persons/createNotificationsSubscriber*").permitAll() // --> this not working

This starts from the same /ws and it is a POST request so Spring is not allowing this

To do your work please use this-

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.cors()
        .and()
        .csrf().disable()
        .authorizeRequests()
        .antMatchers(HttpMethod.POST, "/ws/persons/createNotificationsSubscriber*").permitAll()// --> This will work
        .antMatchers(HttpMethod.POST, "/ws/**").authenticated()
        .antMatchers(HttpMethod.DELETE, "/**").authenticated()
        .antMatchers(HttpMethod.OPTIONS, "/**").permitAll()
        .antMatchers(HttpMethod.GET, "/ws/getEvents").permitAll()// ---> While this is working
        
        .anyRequest().authenticated()
        .and()
        .logout()
        .logoutSuccessUrl("http://localhost:3006/eventsMainView")
        .and()
        .csrf().disable()
        .httpBasic();
}

Thanks, it works. My primary logic was to say that the last line will exclude, but now I see that it's taking the first match, like with routes. — lingar, Jul 15 '21 at 09:51

Spring security not working for additional post url

1 Answers1