0

I need a "/public" endpoint be accessed by unauthenticated users and any other endpoints be accessed by only authenticated users. Why this configuration doesn't work. I configured it according to spring security 6 authorication docs. When I access "/public" it responses with 401 Unauthorized

@Configuration
@EnableWebSecurity
public class SecurityConfiguration {

    SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http.authorizeHttpRequests(a ->
                a.requestMatchers("/public").permitAll()
                        .anyRequest().authenticated()
                );

        return http.build();
    }
}
Denis_54213213
  • 9
  • 3

1 Answers1

0

The configuration of SecurityFilterChain that you have should be:

@Configuration
@EnableWebSecurity
public class SecurityConfiguration {

  @Bean
  SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
    http.authorizeHttpRequests(a -> {
      a.requestMatchers("/public/**").permitAll(); // for all paths that start with `/public/..`
      a.anyRequest().authenticated();
    });

    return http.build();
  }
}
Andrei Lisa
  • 1,361
  • 3
  • 11
  • it doesn't still work :( – Denis_54213213 Aug 22 '23 at 19:19
  • I checked .authorizeHttpRequests() is invoked. – Denis_54213213 Aug 22 '23 at 19:21
  • Are you login with Basic Auth/ or Bearer token ? Also is it all your security config chain ? – Andrei Lisa Aug 23 '23 at 03:37
  • There is only one security config. I created a plain project with just spring boot entry point and signle configuration to make sure other components don't affect to .authorizeHttpRequests() method. But it doesn't work anyways. – Denis_54213213 Aug 23 '23 at 03:44
  • May I contact you via telegram or something to share the plain project with two classes so that you can point out where is the issue. Or there is a way to send it here? – Denis_54213213 Aug 23 '23 at 03:56
  • You can share here the github repository(link) to the project and i will check and give an answer here. – Andrei Lisa Aug 23 '23 at 04:07
  • I created the controller to handle this endpoint. This endpoint is now access with 200 OK. But why if there are no appropriate handlers it sends 403 Forbidden instead of 404 Not found by default? – Denis_54213213 Aug 23 '23 at 05:59
  • i cannot say you why, because i dont see the code. Your main problem was in " "/public" endpoints responses with 401 Unauthorized", and i am sure that my answer solved the problem. About 403 instead of 404, I think it`s is an topic for another question or you can find something similar why it happen. – Andrei Lisa Aug 23 '23 at 06:21
  • Creating an appropriate handler that handles this endpoint solves this problem. https://github.com/Denis3432522/test-spring-security-project/tree/master Could you check the project please? – Denis_54213213 Aug 23 '23 at 06:50
  • yep, i checked. This is expected behavior to prevent leakage of path info. Have a look at this answer [receiving-403-instead-of-404](https://stackoverflow.com/questions/70054528/receiving-403-instead-of-404-when-calling-non-existing-endpoint) – Andrei Lisa Aug 23 '23 at 07:06
  • okey, thank you – Denis_54213213 Aug 23 '23 at 16:13