即使使用@PreAuthorize（“permitAll（）”），Spring Security也会阻止匿名请求

Question

I have a lot of API endpoints that need authenticated requests, and a few that are allowed for any request. I would like Spring Security to block anonymous requests by default, but to let me overwrite it:

aHttpSecurity.authorizeRequests().anyRequest().authenticated()

...

@PreAuthorize("permitAll()")
@RequestMapping("/foobar")
public ResponseEntity<FooBar> get() {
  ...
}

Unfortunately, this does not work: /foobar outputs 401. Any idea how to do?

Answer 1

@PreAuthorize is just an annotation which wraps method to check if user can execute annotated method. It works not just with controllers.

When you have http requests, firstly requests go through some spring security filters and when you write .anyRequest().authenticated() you just do not go to some wrapped controller endpoint.

So, If you have a few endpoints you can exlude it

aHttpSecurity.authorizeRequests() .antMatchers(HttpMethod.GET, "/foobar/**").permitAll() .antMatchers("/**").authenticated()

and delete @PreAuthorize("permitAll()")

Answer 2

Spring Security has two levels of Security.

Filter Level and Method Level.

Filter Level would work with URL and If a URL is not configured to be accessed it will be denied access with 401 or 403 accordingly. This is handled by FilterSecurityInterceptor

Method Level is often used as a second level of defense to Authorize who can access a method and what operations or objects he/she can manipulate. This is handled by MethodSecurityInterceptor