Skip unprotected url (http.authorizeRequests().antMatchers("url").permitAll()) from Authorization bearer validation #947
Comments
@youssefguenoun Why do you need to set the Authorization header when calling unprotected resources? This doesn't make sense to me. You should only set the Authorization header when calling a protected resource. |
I have similar issue, here is the autentication application configuration:
we record the access token in browser cookie, there is a gateway application before the authentication application, the gateway will pick up the access token from cookie, and set it to Authorization header when forwarding the rquest, the gateway don't know whether the forwarding url is protected, current behavior is: when the token is expired, the unprotected resources(such as /authentication/public/login) are not available when the browser cookie is still present. Or is there a way to totally disable the spring security for some particular urls when configuring through |
Same problem. |
Same problem. Anyone found a solution? |
try this :
|
Fair enough, but having a public API exposed to the internet it's not always possible to convince all the clients to build proper HTTP requests. From the security configuration perspective if an endpoint is configured as unsecured then there is no reason to validate Authorization headers for that endpoint whatsoever. |
@mpryahin I totally agree with you, But spring security (in any case the version i've used in 2017) doesn't behave that way ! if it detect an Authorization header, it automatically validate it. Anyway it wasn't really an issue, in our case the real issue came from some API client-code which filled an Authorization bearer header even if the API endpoint was not secured ! PS : If we share the same understanding, you guys, we can now close this issue :) Cheers, |
@youssefguenoun Yes, but before closing the issue, will we acknowledge that it's ok for external clients which are out of our control to be able to affect the behaviour of the backend application? |
Thanks for your input @imranasif ! @mpryahin @youssefguenoun Have you tried the solution that @imranasif suggested in this comment? This is exactly what you need to do to disable security for specific endpoints. For example: @EnableWebSecurity
public class WebSecurityUnprotected extends WebSecurityConfigurerAdapter {
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().mvcMatchers("/unprotected1", "/unprotected2", "/unprotected3");
}
} I'm going to close this issue as answered. If you are still having an issue we can re-open. |
@jgrandja Thanks for involvement. But with EnableWebFluxSecurity this is not possible. How this should be apply there? |
For WebFlux, I found this to do the job:
|
Solution for webflux. Url with prefix admin is protected. Rest of urls are permit regardless of authorization header.
|
Hi
I'm using spring security oauth2 in my project.
I am excluding some urls from authentication as follow : http.authorizeRequests().antMatchers("an_unprotected_url").permitAll()
Now, what I am having is that, if I don't pass the Authorization header to the above urls, it is not authenticated. And the API is called properly.
If the call is made with an Authorization header, then it validates the token and fails the call if the token is not validated.
What do I need to do so that the token is ignored in the request for which I have permitAll.
Best regards
Youssef
The text was updated successfully, but these errors were encountered: