I am trying to implement security where no filters are applied to my login, signup and home urls.

I am using springboot 2.7.1

As per my understanding when I am using antMatchers("/**/signup").permitAll() no filter should be applied to my signup url.

Upon debugging, I found that my signup url was being hit and user details were saved, but my AuthorizationFilter was also being executed .

This is my SecurityFilterChain :

@Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {

        AuthenticationManagerBuilder authenticationManagerBuilder=http.getSharedObject(AuthenticationManagerBuilder.class);
        authenticationManagerBuilder.userDetailsService(userLoginService).passwordEncoder(bCryptPasswordEncoder);
        AuthenticationManager authenticationManager=authenticationManagerBuilder.build();

        http.csrf().disable().authorizeHttpRequests()
                .antMatchers("/**/login").permitAll()
                .antMatchers("/**/signup").permitAll()
                .antMatchers("/home/**").permitAll()
                .anyRequest().authenticated().and()
                .addFilter(getAuthenticationFilter(authenticationManager))
                .addFilter(new AuthorizationFilter(authenticationManager))
                .authenticationManager(authenticationManager)
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);

        return http.build();
    }

Can somebody please tell me what am I missing and how do I fix it ?

CodePudding user response：

When you use permitAll() you are not disabling the filters, you are just specifying that you do not want to apply any authentication/authorization checks for that RequestMatcher. All the filters will still work.

The AuthorizationFilter will be invoked but since you configure permitAll() for that endpoint, it will always grant access.