Spring Security permitall denies access when sending authorization header

Question

My security configuration is as follows:

http.authorizeRequests().antMatchers("/authenticate").fullyAuthenticated().anyRequest().permitAll().and().httpBasic();

It works and all the endpoints but /authenticate are not secured. But when the client sends Authorization header to any of the unsecured endpoints then Spring Security returns 401.

curl -s -u asdf:asdf http://127.0.0.1:22000/info
{"timestamp":1511348485989,"status":401,"error":"Unauthorized","message":"Bad credentials","path":"/info"}

How I must to configure security to ignore Authorization header on unsecured endpoints if it is sent?

Thanks in advance

The basic authentication filter doesn't know that the URl is allowed for anonymous users, so it can not handle this case. It just try to authenticate the user with username and password given in request. — dur, Nov 22 '17 at 12:08
Possible duplicate of [HttpSecurity, WebSecurity and AuthenticationManagerBuilder](https://stackoverflow.com/questions/22998731/httpsecurity-websecurity-and-authenticationmanagerbuilder) — Kalle Richter, Oct 19 '19 at 21:30

score 1 · Answer 1 · answered Aug 03 '23 at 15:27

I solved this problem by creating WebSecurityCustomizer bean SecurityConfiguration which configures to ignore required patterns:

    @Bean
    public WebSecurityCustomizer webSecurityCustomizer() {
        return webSecurity -> webSecurity.ignoring().requestMatchers("/api/allowedPath/**");
    }

Spring Security permitall denies access when sending authorization header

1 Answers1

Linked