Spring Security Configuraion Issue : Permit All Not working

[dv0892]

I am configuring a bean of type SecurityFilterChain in a very simple spring boot application with jsp .

URI's like / or /welcome should be accessible by anyone

But URI /authenticate or any other request should require authentication

Here is Security Config

@Bean
	public SecurityFilterChain filterChain( HttpSecurity http , MvcRequestMatcher.Builder mvc) throws Exception {		
            http.csrf(AbstractHttpConfigurer::disable)
		.authorizeHttpRequests(auth -> 
			auth.requestMatchers(mvc.pattern("/"),mvc.pattern("/welcome")).permitAll()
			.anyRequest().authenticated()
			)
		.formLogin(Customizer.withDefaults())
		.httpBasic(Customizer.withDefaults());

		return http.build();
	}

But it is asking me to login to every URI pattern including / and /welcome.

I have attached my sample repository on which I am facing this issue
https://github.com/dv0892/Security-Sample/tree/master

Seems like permitAll() is not working.
Please let me know if anything else is required

[chipbk10]

I got the same issue

[marcusdacoregio]

Hi, @dv0892. Have you enabled TRACE logging to check where the authentication error is happening? Have you enabled the FORWARD dispatcher type?

[chipbk10]

yes. Please look at the simple code below. You can reproduce it easily.

@Configuration
@EnableWebSecurity
public class SecurityConfig {

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        return http
                .csrf(CsrfConfigurer::disable)
                .authorizeHttpRequests(requests -> requests
                        .requestMatchers("/home").permitAll()
                )
                .formLogin(withDefaults())
                .build();
    }
}

@Controller
public class AuthController {
    @GetMapping("/home")
    public String home() {
        return "Home Page";
    }
}

[marcusdacoregio]

I don't see you allowing FORWARD and neither you provided any logs that can help to know what is happening. Please, try what I recommended, and, if you really believe that there is a bug in Spring Security, please create a minimal, reproducible sample and write your findings.

[chipbk10]

@dv0892 has created a sample project that can reproduce this issue: https://github.com/dv0892/Security-Sample/tree/master

Can you provide the code to do the FORWARD like you mention? Thanks