permitAll() not working in Spring Security 6 with Spring boot

Question

I have set up a custom SecurityFilterChain with JWT authentication and for testing I permitted all the requests on a test route.

Even with disabling the httpBasic and formLogin authentication I still received 401 unauthorised. So, I excluded the SpringAutoConfiguration class from @SpringBootApplication. Then I received Whitelabel error page.

I am a beginner so please guide me in solving this issue.

I tried many a variations of the httpSecurity but couldn't find a solution.

    @Configuration
    @EnableWebSecurity
    public class AppConfig {
        public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
    // simple httpSecurity just to check
    //        return http.sessionManagement(s ->
    //                        s.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
    //                .authorizeRequests(auth -> auth
    //                            .requestMatchers("/home").permitAll()
    //                            .anyRequest().authenticated())
    ////                .httpBasic(Customizer.withDefaults())
    ////                .formLogin(FormLoginConfigurer::disable)
    //                .build();

    // original code which I want to work with.
        return http
                .authorizeHttpRequests(auth -> auth
    //                    .requestMatchers(HttpMethod.GET, "/").permitAll()
    //                    .requestMatchers(HttpMethod.POST,"/api/auth/**").permitAll()
                        .requestMatchers("/home").permitAll()
                        .anyRequest().authenticated())
                .addFilterBefore(new JwtTokenValidationFilter(), BasicAuthenticationFilter.class)
                .httpBasic(HttpBasicConfigurer::disable)
    ////            .csrf(AbstractHttpConfigurer::disable)
    ////            .cors(corsConfigurer -> corsConfigurer
    ////                    .configurationSource(request -> {
    ////                        CorsConfiguration cors = new CorsConfiguration();
    ////                        cors.setAllowedOrigins(List.of("http://localhost:3000"));
    ////                        cors.setAllowedMethods(List.of("*"));
    ////                        cors.setAllowCredentials(true);
    ////                        cors.setAllowedHeaders(List.of("*"));
    ////                        cors.setExposedHeaders(List.of("Authorization"));
    ////                        cors.setMaxAge(3600L);
    ////                        return cors;
    ////                    }))
              .build();


    //        return http.build();
    }
    


        @Bean
        public PasswordEncoder passwordEncoder() {
            return new BCryptPasswordEncoder();
        }
    }

I can further provide the JWTUtil and JWTValidation class.

    @RestController
    public class HomeController {
        @GetMapping("/home")
        public String homeController() {
            return "Hello from Home";
        }
    }

I tried to create a custom SecurityFilterChain and authenticate using JWT. I have looked for solutions already present on StackOverflow but they were very old. And still couldn't figure out what am I missing.

Answer 1

You can try to provide a list of paths where you permit all types of requests in the requestMatchers() method:

http.authorizeHttpRequests(auth -> auth
    .requestMatchers("/", "/api/auth/**", "/home" ).permitAll()
    .anyRequest().authenticated())

You can also add @EnableMethodSecurity annotation in your Config class.

Let me know if this helped.