Spring Security Unexpected Behaviour for Public Endpoints

Question

I have a Spring HttpSecurity configuration as

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
    .sessionManagement()
        .sessionCreationPolicy(SessionCreationPolicy.STATELESS);
    http.csrf().disable().httpBasic().and()
        .authorizeRequests()
            .antMatchers("/public/**").permitAll()
            .antMatchers("/secure/**").authenticated()
            .antMatchers("/backend/**").authenticated()
            .antMatchers(HttpMethod.OPTIONS, "/**").permitAll();
}

It might be stupid for the client to set the Authorization Header for '/public/**' endpoints.

However, I noticed Spring Security attempts to authenticate tries to create an authenticated session for even public requests because the Authorization Header was provided.

Should the HttpSecurity config not override this behaviour?

No it shouldn't... Permit all is something different as not secured at all. For the latter override the `configure(WebSecurity)` and use the `ignoring` for no security at all. — M. Deinum, Apr 14 '16 at 09:05

score 0 · Answer 1 · answered May 05 '19 at 07:18

0

Answered in the comments:

No it shouldn't... Permit all is something different as not secured at all. For the latter override the 'configure(WebSecurity)' and use the 'ignoring' for no security at all.

answered May 05 '19 at 07:18

Marcus Held

635
4
15

Spring Security Unexpected Behaviour for Public Endpoints

1 Answers1