Spring Security 4 customize matchers

Question

I have some local services mapped to same base url part. This services for users should be closed, but one of its is used by ZooKeeper and should be open. So i configured:

@Configuration
@EnableWebSecurity(debug = true)
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {

  @Override
  public void configure(AuthenticationManagerBuilder auth) throws Exception {
    auth
        .inMemoryAuthentication()
        .withUser("user").password("us").roles("USER");
  }

  @Override
  protected void configure(HttpSecurity http) throws Exception {
    http.authorizeRequests()
        .antMatchers("/inner/service/**").hasRole("USER")
        .and().antMatcher("/inner/service/event/bus").csrf().disable().anonymous()
        .and().formLogin().and().logout().and().httpBasic();
  }
}

this configuration does not works. i have open service not only for events. Each of services is open. If i change configuration to:

@Configuration
@EnableWebSecurity(debug = true)
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {

  @Override
  public void configure(AuthenticationManagerBuilder auth) throws Exception {
    auth
        .inMemoryAuthentication()
        .withUser("user").password("us").roles("USER");
  }

  @Override
  protected void configure(HttpSecurity http) throws Exception {
    http.authorizeRequests()
        .antMatchers("/inner/service/**").hasRole("USER")
        .and().formLogin().and().logout().and().httpBasic();
  }
}

All services are closed than.

Is it possible to configure anonymous requests everywhere

"/**"

authenticated services by path

"/inner/service/**"

with open one

"/inner/service/event/bus"

?

PS Open service is used for ZooKeeper response.

Answer 1

solution is:

1. move to other path (to provide uncrossed passes)

    "/inner/service/event/bus" // for example "/inner/event/bus" 

2. change http security configuration:

    @Override protected void configure(HttpSecurity http) throws Exception { // to ignore csrf filter for zookeeper client api http.csrf().ignoringAntMatchers("/inner/event/bus"); // configure the HttpSecurity http.antMatcher("/inner/service/**").authorizeRequests() // configure open resources. this configuration can be missed because of root level security (see line before) .antMatchers("/", "/index.html", "/inner/event/bus", "view.html").permitAll() // configure role for specified api .antMatchers("/inner/service/**").hasRole("USER") // to use default login and logout api .and().formLogin().and().logout().logoutSuccessUrl("/").and().httpBasic(); } 

this solution works also if i remove one instruction:

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().ignoringAntMatchers("/inner/event/bus");
        http.antMatcher("/inner/service/**").authorizeRequests()
            .antMatchers("/inner/service/**").hasRole("USER")
            .and().formLogin().and().logout().logoutSuccessUrl("/").and().httpBasic();
    }

And one more important point ( i think important ). I have removed from my *.yml files all security customization.