requestMatchers does not execute .permitAll() for not registered Bean

[rnjsrntkd95]

Describe the bug
version

• spring boot 3.0.1
• spring security 6.0.1

not execute .permitAll()
just not registered controller.

To Reproduce

requestMatchers dose not execute .permitAll().
localhost:8080/data request response is 403 forbidden.
("/data" URL is not mvcMatcher, not registered controller API)

but, all include matcher ("/**") execute .permitAll().

Expected behavior

    .authorizeHttpRequests(authorize -> authorize
            .requestMatchers("/data").permitAll()
    )

localhost:8080/data request expected 404 Not Found;

[rnjsrntkd95]

I checked spring boot 2.7.1 version is execute normally to use antMatcher.

[marcusdacoregio]

Hi @rnjsrntkd95,

is your security configuration class annotated with @EnableWebSecurity and @Configuration? If it is, can you share a minimal, reproducible sample so we simulate it on our side?

[rnjsrntkd95]

of course! this is my public repository

security-request-matcher-issue

@Configuration
@EnableWebSecurity
public class SecurityConfig {

    @Bean
    public WebSecurityCustomizer webSecurityCustomizer() {
        return (web) -> web.ignoring().requestMatchers(
                "/favicon.ico", "/health.html", "/robots.txt"
        );
    }

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        return http
                .csrf().disable()
                .formLogin().disable()
                .logout().disable()
                .authorizeHttpRequests(authorize -> authorize
                        .requestMatchers("/data").permitAll()    // this response is 403 forbidden, expect 404 Not Found because set permitAll
//                        .requestMatchers("/**").permitAll()     // if you release this comment, "/data" response is 404 Not Found
                )
                .authorizeHttpRequests().anyRequest().authenticated()
                .and().build();
    }
}

It's the same if I use an antMatcher not mvcMatcher.

.requestMatchers(antMatcher("/data")).permitAll()

[rnjsrntkd95]

but, if declare like this. "/data" request execute normally .permitAll . It is 200 Ok.

@RestController
public class TestController {

    @GetMapping("/data")
    public String data() {
        return "test";
    }
}

I guess... .permitAll() works only with declared controller. as registered bean. is this mvcMatcher role?

In the same way, WebSecurity.ignoring needs authenticate but i set ignored filter

    @Bean
    public WebSecurityCustomizer webSecurityCustomizer() {
        return (web) -> web.ignoring().requestMatchers(
                "/favicon.ico"
        );
    }

AuthenticationEntryPoint commence() catch this exception

InsufficientAuthenticationException: Full authentication is required to access this resource

[rnjsrntkd95]

I found the cause.

Error page ("/error") is created about 404 by request "/data"
but, I didn't handled error page. processed authorizeHttpRequests default denied.
I solved this issue by "/error" .permitAll or .ignoring()

Debugging through this annotation @EnableWebSecurity(debug = true)

this is my mistake. thank u @marcusdacoregio
It you have any advice, comment please!