how NOT to call OncePerRequestFilter before unsecured controller

Question

I am following an example that has code that I modified per spring-security-filter-only-on-secured-endpoints .

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.antMatcher("/secureSide/**")
           .cors().and()
           .sessionManagement()
             .sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
             .and().addFilterBefore(tokenAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class)
              .csrf().disable()
              .formLogin().disable()
              .httpBasic().disable()
              .exceptionHandling().authenticationEntryPoint(restAuthenticationEntryPoint())
              .and().authorizeRequests()
              .anyRequest().authenticated();
    }

and two Separate controllers as

@RestController
@RequestMapping("/secureSide")
@EnableAutoConfiguration(exclude = SecurityAutoConfiguration.class)
public class SecureController {
...
}



@RestController
@RequestMapping("/completelyOpen")
public class OpenController {
...
}

But when end points defined in OpenController are called by the client, the doFilterInternal still gets called, even though the filter are supposed to be called for SecureController

So how can the call to doFilterInternal ( ofTokenFilter extends OncePerRequestFilter ) be prevented?

you are missing `.authorizeRequests()` read this again https://stackoverflow.com/questions/36795894/how-to-apply-spring-security-filter-only-on-secured-endpoints — Toerktumlare, Mar 13 '22 at 11:48
@toerktumlare second last line of code of configure has authorizeRequests — puzzled, Mar 13 '22 at 18:42
`.authorizeRequests().anyRequest().authenticated();`it says any request.... any request means, all requests.... — Toerktumlare, Mar 13 '22 at 22:49

how NOT to call OncePerRequestFilter before unsecured controller

0 Answers0