I have the following Spring Security configuration:
httpSecurity .csrf().disable() .exceptionHandling() .authenticationEntryPoint(unauthorizedHandler) .and() .sessionManagement() .sessionCreationPolicy(SessionCreationPolicy.STATELESS) .and() .authorizeRequests() .antMatchers("/api/**").fullyAuthenticated() .and() .addFilterBefore(authenticationTokenFilterBean(), UsernamePasswordAuthenticationFilter.class);The authenticationTokenFilterBean() is applied even on endpoints that do not match /api/** expression. I also tried adding the following configuration code:
@Overridepublic void configure(WebSecurity webSecurity) { webSecurity.ignoring().antMatchers("/some_endpoint");}but this still did not solve my problem. How can I tell Spring Security to apply filters only on endpoints that match the secured URI expression?
Advertisement
Answer
I have an application with the same requirement and to solve it I basically restricted Spring Security to a given ant match patter (using antMatcher) as follows:
http .antMatcher("/api/**") .authorizeRequests() // .anyRequest().authenticated() // .and() .addFilterBefore(authenticationTokenFilterBean(), UsernamePasswordAuthenticationFilter.class);You can read it as follows: for http only invoke these configurations on requests matching the ant pattern /api/** authorizing any request to authenticated users and add filter authenticationTokenFilterBean() before UsernamePasswordAuthenticationFilter. For all others requests this configuration has no effect.