I have a Spring Security configuration that works "authenticates" user by reading a specific header value. Thus using RequestHeaderAuthenticationFilter():
private RequestHeaderAuthenticationFilter requestHeaderFilter() throws Exception {
RequestHeaderAuthenticationFilter authenticationFilter = new RequestHeaderAuthenticationFilter();
authenticationFilter.setPrincipalRequestHeader("user");
authenticationFilter.setAuthenticationManager(this.authenticationManager());
return authenticationFilter;
}
private static final String HEALTH_PATH_NOAUTH = "/actuator/health";
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers(HEALTH_PATH_NOAUTH);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
http.cors();
http.authorizeRequests().anyRequest().authenticated();
http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
http.addFilter(requestHeaderFilter());
}
I need to exclude a certain path from security: "/actuator/health" First i tried to "permitAll" by configuring HttpSecurity:
http.authorizeRequests().antMatchers(HEALTH_PATH_NOAUTH).permitAll().anyRequest().authenticated();
But neither this helped nor it helped to override "WebSecurity" as you see in the first listing. RequestHeaderAuthenticationFilter is always throwing it's exception if header is not set. I want this exception to be thrown, but not for this certain path.
How to solve this?
UPDATE: I removed the "bean" and made method private, but this should make no difference - web.ignoring().antMatchers(HEALTH_PATH_NOAUTH); should work regardless of any filter add explicitly or as bean or even twice - right?
