How to allow all and any requests with Spring Security?

Asked 12/5, 2020 at 20:40 Answered 5/8, 2024 at 9:44

I've just added Spring Security to my project. I've also added this configuration:

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests().anyRequest().permitAll();
    }

}

but now not all of my endpoints work. In fact only a single endpoint works, for the rest I get 403 Forbidden. What could be the problem? How can I allow any and all requests (effectively making security a pass-through).

Woehick answered 12/5, 2020 at 20:40 Comment(2)

try this http.authorizeRequests().antMatchers("/**").permitAll().anyRequest() – Reganregard 12/5, 2020 at 20:43

Is the working end point perhaps a GET request, and all the failing ones POST requests? – Maledict 12/5, 2020 at 20:49

If you want to allow some URL to be accessed without authentication, it is a better practice to prepare some whitelist and pass it to the method antMatchers().

The antMathers() accepts wild cards as well. If you surely don't want any of the endpoints to be authenticated put /**. But you already have Spring Security, why not use the full power of it.

Here is a simple way of doing it.

private static final String[] AUTH_WHITELIST = {
   "/v2/api-docs", "/swagger-resources", "/swagger-resources/**",
};

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.csrf().disable().authorizeRequests()
            .antMatchers(AUTH_WHITELIST).permitAll()
            .antMatchers("/csrf").permitAll()
            .anyRequest().authenticated(); 
}

Pongee answered 12/5, 2020 at 21:6 Comment(0)

I had to add .csrf().disable() to make it work.

So the whole solution for me was

http.csrf().disable().authorizeRequests().anyRequest().permitAll();

Phillie answered 17/1, 2022 at 20:31 Comment(1)

Okay. According to the documentation csrf() "Enables CSRF protection. This is activated by default when using WebSecurityConfigurerAdapter's default constructor." So csrf().disable() actually disables protection and permits CSRF. – Jacoby 25/5, 2022 at 0:24

If you want to allow some URL to be accessed without authentication, it is a better practice to prepare some whitelist and pass it to the method antMatchers().

The antMathers() accepts wild cards as well. If you surely don't want any of the endpoints to be authenticated put /**. But you already have Spring Security, why not use the full power of it.

Here is a simple way of doing it.

private static final String[] AUTH_WHITELIST = {
   "/v2/api-docs", "/swagger-resources", "/swagger-resources/**",
};

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.csrf().disable().authorizeRequests()
            .antMatchers(AUTH_WHITELIST).permitAll()
            .antMatchers("/csrf").permitAll()
            .anyRequest().authenticated(); 
}

Pongee answered 12/5, 2020 at 21:6 Comment(0)

You can try with

http.authorizeRequests().antMatchers("/**").permitAll();

Leclair answered 12/5, 2020 at 20:45 Comment(5)

Why? What is different between this and their attempt? – Graphemics 12/5, 2020 at 20:59

I don't quite understand what you are asking. Who's "they"? – Leclair 13/5, 2020 at 6:16

I think they were referring to the FAQ: if there is already an answer to a question improve that, and don't post your own. – Woehick 13/5, 2020 at 7:51

Oh, but when I posted this there were no answers yet. – Leclair 13/5, 2020 at 9:2

They = the OP. What does antMatchers("/**") do differently than anyRequest()? – Graphemics 13/5, 2020 at 14:55

For anyone using Spring Boot 3 & Spring Security 6 can use the following code, since configuring security extending WebSecurityConfigurerAdapter is deprecated. Create a bean of SecurityFilterChain.java using following configuration.

@Configuration
@EnableWebSecurity
@EnableMethodSecurity(securedEnabled = true, jsr250Enabled = true)
public class SecurityConfig {

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity httpSecurity) throws Exception {
        return httpSecurity.csrf().disable()             // disable CSRF protection
              .authorizeHttpRequests().anyRequest().permitAll()  // Allow any request.
              .and().build();  // build & return DefaultSecurityFilterChain 
    }
}

Using Lambda DSL

@Configuration
@EnableWebSecurity
@EnableMethodSecurity(securedEnabled = true, jsr250Enabled = true)
public class SecurityConfig {

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity httpSecurity) throws Exception {
        return httpSecurity.csrf(AbstractHttpConfigurer::disable)   // disable CSRF protection
                .authorizeHttpRequests(httpRequest -> {
                    httpRequest.antMatchers("/**").permitAll(); // Allow all endpoints
        }).build(); // build & return DefaultSecurityFilterChain
    }
}

Vescuso answered 5/8, 2024 at 9:44 Comment(0)

Recommended topics

Hot tags