在 permitAll url 的情况下执行 Springboot 过滤器

Question

I am new to springboot and trying to implement security where no filters are applied to my login, signup and home urls.

I am using springboot 2.7.1

I am expecting antMatchers("/**/signup").permitAll() to remain free of any security filter.

Upon debugging, I found that my signup url was being hit and user details were saved, but my AuthorizationFilter was also being executed .

This is my SecurityFilterChain :

@Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {

        AuthenticationManagerBuilder authenticationManagerBuilder=http.getSharedObject(AuthenticationManagerBuilder.class);
        authenticationManagerBuilder.userDetailsService(userLoginService).passwordEncoder(bCryptPasswordEncoder);
        AuthenticationManager authenticationManager=authenticationManagerBuilder.build();

        http.csrf().disable().authorizeHttpRequests()
                .antMatchers("/**/login").permitAll()
                .antMatchers("/**/signup").permitAll()
                .antMatchers("/home/**").permitAll()
                .anyRequest().authenticated().and()
                .addFilter(getAuthenticationFilter(authenticationManager))
                .addFilter(new AuthorizationFilter(authenticationManager))
                .authenticationManager(authenticationManager)
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);

        return http.build();
    }

I don't understand why is it happening this way.

Answer 1

When you use permitAll() you are not disabling the filters, you are just specifying that you do not want to apply any authentication/authorization checks for that RequestMatcher . All the filters will still work.

The AuthorizationFilter will be invoked but since you configure permitAll() for that endpoint, it will always grant access.