Problem
I have an API which I need to secure using Spring Security 6 (using Spring Boot 3.1.1) and I am also using Spring OAuth Resource Server. All endpoints must be secured, except for those that start with /api and /auth prefixes.
# build.gradle
# versions come from Spring Boot 3.1.1
implementation "org.springframework.boot:spring-boot-starter-security"
implementation 'org.springframework.boot:spring-boot-starter-oauth2-resource-server'
implementation 'org.springframework.security:spring-security-oauth2-jose'
Here's how my security config class looks
@Configuration
@EnableWebSecurity
class SecurityConfig {
@Bean
fun springSecurity(http: HttpSecurity): SecurityFilterChain {
http
.authorizeHttpRequests {
it.requestMatchers("/api/**","/auth/**").permitAll()
.anyRequest().authenticated()
}.oauth2ResourceServer {
it.jwt(Customizer.withDefaults())
}.cors {
it.disable()
}
return http.build()
}
and here's application.yml
spring:
security:
oauth2:
resourceserver:
jwt:
issuer-uri: {ISSUER_URI}
Why is this a problem
For some reason my configuration for requestMatchers does not work.
It works if I set it to /** and then all endpoints are unsecured, but I want only to unsecure the /api and /auth` ones.
Currently, they return 401 with WWW-Authenticate: Bearer header if I try to ping say /api/meta/types endpoint.
This indicates that for some reason the app is expecting a bearer token, which I don't want to provide.
Question
Which values do I need to put into this requestMathchers methods so that if I query endpoint which starts with /api or /auth Spring Security does not request a bearer token and just executes the request ?
