How to allow certain endpoint in spring security to be allowed without authentication?

Question

I have Spring Boot Rest API web app in which I am using spring security to have most endpoints to require authentication. This is part of code:

public class SecurityConfig extends WebSecurityConfigurerAdapter {
....
@Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable()
                .requestMatchers()
                .antMatchers("/oauth/token")
                .and()
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and()
                .authorizeRequests()
                .antMatchers(HttpMethod.OPTIONS).permitAll()
                .anyRequest().authenticated();
    }

Can some one explain what each line begining with http.csrf means?

How can I modify above code so that enpoint /bars/pk can be allowed to be accessed without requiring authentication just as if there was no Spring Security ?

Answer 1

By default, Spring Boot activates protection against CSRF attack (Cross Site Request Forgery attack). The attack consists of a malicious site taking advantage of a user being alredy authenticated to a site (e.g. bank) in order to trick the user to do actions on that site (e.g. fund transfer).

The protection against the attack consists of the Spring Boot application sending a token with every response and expecting the token to be sent by the client on subsequent request. If the token is not received, Spring Boot returns an error.

Sometimes, you want to disable this behavior (at your own risks), so you use csrf.disable. You might find it convenient to disable csrf protection if you develop a Stateless API, and you have no way to link a POST request to any previous requests or session. But again, you need to consider this and reason about it carefully.

Please note that CSRF protection has not effect on GET requests. It only affects state chaning requests (e.g. POST, DELETE)

In order to allow your endoints to anyone, without requiring any authentication, you need to use

http.authorizeRequests().antMatchers("/**").permitAll();

EDIT

To specifically allow unauthorized requests to /bars/pk and keep the other elements unchanged, modify your code as follows :

http.csrf().disable()
                .requestMatchers()
                .antMatchers("/oauth/token")
                .and()
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and()
                .authorizeRequests()
                .antMatchers(HttpMethod.OPTIONS).permitAll()
                .antMatchers("/bars/pk").permitAll()
                .anyRequest().authenticated();

Answer 2

Here is a complete example:

 httpSecurity.authorizeRequests()
                    .antMatchers(HttpMethod.GET)                  
                    .permitAll() // Allow all GET requests to go unauthenticated
                    .antMatchers(allowedResources)                  
                    .permitAll() // Allow all requests to go unauthenticated for the specified paths
                    .antMatchers(protectedResources).hasRole(USER)
                    .antMatchers(adminResources).hasRole(ADMIN)
                    .anyRequest().authenticated(); // Authenticate all other request paths