why is the AuthenticationManagerResolver called on a permitAll() (open endpoint)

Question

Our spring boot 2.5.12 app is secured w/ a security configuration like this:

    protected void configure(HttpSecurity http) throws Exception {

        http
            .cors().configurationSource(corsConfigurationSource)
            .and()
            .csrf()
            .ignoringAntMatchers("/")
            .and()
            .authorizeRequests(authorizeRequests -> authorizeRequests
                .mvcMatchers(GET, "/endpoint").hasAuthority("SCOPE_" + (Scope.READ))
                .mvcMatchers(GET, "/endpoint/{reference}").permitAll()
                .mvcMatchers(GET, "/error").permitAll()
                .mvcMatchers(GET, "/info").permitAll()
                .mvcMatchers(GET, "/health").permitAll()

                .anyRequest().denyAll())

            .oauth2ResourceServer()
            .authenticationManagerResolver(authenticationManager())
            .accessDeniedHandler(accessDeniedHandler)
            .authenticationEntryPoint(authenticationEntryPoint);
    }

w/ an AuthenticationManagerResolverBean:

    public AuthenticationManagerResolver<HttpServletRequest> authenticationManager() {
        return request -> {
            ...
            ...
            ...
        };
    }

it looks as if there's a bug as when i access the endpoint: /endpoint/ref123 it calls the AuthenticationManagerResolver even though this endpoint is open with a .permitAll(). So in the case the user accidentally provides an invalid token on this .permitAll() endpoint they aren't rejected.

if an endpoint is a .permitAll() then shouldn't spring not try to validate the token?

This will answer your question: https://stackoverflow.com/a/25280897/7506820 — Nico Van Belle, Jun 08 '22 at 08:18
i apologize. i've updated the question to better represent the situation. i don't want to give anonymous access to all my endpoints. i just want spring to not try to verify a token in case the user accidentally presents an invalid one. thank you for your response though. you made me realize a work around. — Musik Forum, Jun 09 '22 at 12:01

score 0 · Answer 1 · answered Jun 10 '22 at 07:57

I didn't quite find why this is the behavior but we did find a workaround of sorts.

    public void configure(WebSecurity web) {
        web
                .ignoring()
                .mvcMatchers(GET, "/endpoint/{reference}");
    }

It gets spring security to ignore tokens all together... valid or otherwise (which is what i thought permitAll did).

why is the AuthenticationManagerResolver called on a permitAll() (open endpoint)

1 Answers1