I want to disable Spring Security from running based on RequestURI. So I don’t want to enter the configure method, because I find "AuthenticationManager" in the "auth/findRealm" service.
Java version: 17
Spring Security version: 2.7.4
SecurityClass
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true)
public class SecurityConfig {
private final AuthenticationEntryPoint authenticationEntryPoint;
private final AuthenticationEntryPoint tokenAuthenticationEntryPoint;
private final AuthenticationManagerResolver authenticationManagerResolver;
private final boolean authenticationEnabled;
public SecurityConfig(
@Qualifier("customAuthenticationEntryPoint") AuthenticationEntryPoint authenticationEntryPoint,
@Qualifier("tokenAuthenticationEntryPoint") AuthenticationEntryPoint tokenAuthenticationEntryPoint,
AuthenticationManagerResolver authenticationManagerResolver) {
this.authenticationEntryPoint = authenticationEntryPoint;
this.tokenAuthenticationEntryPoint = tokenAuthenticationEntryPoint;
this.authenticationManagerResolver = authenticationManagerResolver;
}
@Bean
public SecurityFilterChain configure(HttpSecurity http) throws Exception {
http
.cors().and()
.authorizeRequests()
.antMatchers("/auth/findRealm").permitAll()
.anyRequest().authenticated()
.and().exceptionHandling()
.authenticationEntryPoint(authenticationEntryPoint)
.and()
.oauth2ResourceServer().authenticationEntryPoint(tokenAuthenticationEntryPoint)
.authenticationManagerResolver(request -> authenticationManagerResolver.resolveAuthenticationManager(request));
return http.build();
}
}
Custom AuthenticationManagerResolver class
@Service
@RequiredArgsConstructor
public class AuthenticationManagerResolver {
private final AuthenticationClientService authenticationClientService;
public AuthenticationManager resolveAuthenticationManager(HttpServletRequest request) {
String applicationCode = request.getHeader("applicationCode");
String realm = authenticationClientService.findRealm(applicationCode);
JwtAuthenticationProvider authenticationProvider = new JwtAuthenticationProvider(JwtDecoders.fromIssuerLocation(realm));
return new ProviderManager(Collections.singletonList(authenticationProvider));
}
}
How can I overcome this situation?
>Solution :
To completely disable spring security to apply for certain URLs , you can configure a WebSecurityCustomizer bean to customize WebSecurity :
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true)
public class SecurityConfig {
@Bean
public WebSecurityCustomizer webSecurityCustomizer() {
return (web) -> web.ignoring().requestMatchers("/foo" , "/bar/**");
}
}
which will disable the spring security to apply for the URL /foo and /bar and and all sub-paths under /bar (e.g. /bar/baz)