Spring Security latest version securityFilterChain configuration-CodePudding

I'm trying to apply latest version of spring configuration. I want to permit all to the h2-console but the application still wants me to authorise.

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http
                .authorizeHttpRequests()
                .shouldFilterAllDispatcherTypes(false)
                .requestMatchers("/api/v1/auth/**").permitAll()
                .requestMatchers("/h2-console/**").permitAll()
                .and()
                .authorizeHttpRequests()
                .anyRequest().authenticated()
                .and()
                .httpBasic()
                .and()
                .csrf().disable()
                .headers().frameOptions().disable();

        return http.build();
    }

I've tried to even change the url of h2-console but it didn't help. The behaviour is weird because .requestMatchers("/api/v1/auth/**").permitAll() works fine.

CodePudding user response：

Please re-write the code like this and try again.

@Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        return http
                .csrf().disable()
                .authorizeRequests()
                .antMatchers("/h2-console/**").permitAll()
                .anyRequest().authenticated()
                .and()
                .httpBasic()
                .and()
        .build();
    }

CodePudding user response：

To permit different paths you should use:

http
    .authorizeHttpRequests()
    .antMatchers("/api/v1/auth/**", "/h2-console/**").permitAll()
    .and()
    ...

Keep in Mind: The purpose of requestMatchers() is to specify which requests the spring security configuration will be applied to.