Multiple WebSecurityConfigurationAdapter ignoring() method affects other configurations

[sofiageo]

Summary

Using ignoring() method with multiple WebSecurityConfigurationAdapter affects both adapters.

Actual Behavior

Ignoring a URL pattern inside a configure(WebSecurity web) method, ignores the same URL pattern in another web security configuration. (I'm using the guide from section 5.7 in the docs)

Expected Behavior

I'm not sure what is the expected behaviour. Maybe there is a reason that it works like that. I would expect it would only affect the configuration it is defined in, like for example debug() method.

Configuration

Config 1:

    @Override
    protected void configure(HttpSecurity httpSecurity) throws Exception {
      httpSecurity
              .antMatcher("/restapi/**")
    //more httpSecurity configurations - removed to make example more readable
    }

Config 2:

    @Override
    public void configure(WebSecurity web) throws Exception {
      web
              .debug(true)
              .ignoring().antMatchers("/restapi/**");
    }

Version

I'm using 4.2.1.RELEASE. Haven't tested this in other versions.

Sample

[eleftherias]

Thanks for reaching out @sofiageo.
This is the expected behavior since WebSecurity is used to create the FilterChainProxy which there is only one of (in contrast to SecurityFilterChain which there can be many of).

The suggested approach is to use a NegatedRequestMatcher if you want to ignore requests for a certain SecurityFilterChain.

For example, with the following configuration Spring Security will ignore any requests that match "/restapi/**".

http
	.requestMatcher(new NegatedRequestMatcher(new AntPathRequestMatcher("/restapi/**")))
	.authorizeRequests()
	// ...

Alternatively, if you want to protect the "/restapi/**" endpoints against common vulnerabilities, while not requiring authentication you could use the following configuration:

http
	.authorizeRequests((authz) -> authz
		.antMatcher("/restapi/**").permitAll()
	// ...