Spring Boot 2 not ignoring authorization header on permitAll

Question

I've spring security configured like this:

@EnableWebSecurity
@Order(1)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

  @Override
  protected void configure(HttpSecurity http) throws Exception {
    http.csrf().disable().authorizeRequests()
      .antMatchers("/rest/app/health").permitAll()
      .antMatchers("/*/app/**").authenticated()
      .antMatchers("/**").permitAll().and().httpBasic();
  }

  @Override
  public final void configure(final WebSecurity web) throws Exception {
    super.configure(web);
    web.httpFirewall(new DefaultHttpFirewall());
  }

}

I've only included spring security and not oauth2. Due to some reason if someone is accessing any permitted url for eg. /rest/app/health with Authorization header he is getting 401 Unauthorized. It's working fine without the header.

How can I ignore the Authorization header, because I need this header as a request param to delegate my request to a third party service.

Answer 1

Filters will be executed for all the endpoints that are configured through HttpSecurity. If you do not want filters to be applied for certain endpoints, include them in a method that configures WebSecurity.

You need to change this method

 @Override
  public final void configure(final WebSecurity web) throws Exception {
    super.configure(web);
    web.httpFirewall(new DefaultHttpFirewall());
  }

to:

@Override
    public void configure(WebSecurity web) {
        web.ignoring()
            .antMatchers(HttpMethod.POST, "/rest/app/health");
    }