Why am I getting a 401 when using Spring Security 6, permitAll and after disabiling CSRF?

Question

There are some similar questions so I have done my best to signify differences but I have reviewed them and they don't seem to match my question.

I have a few simple use case...

Given I am a user 
And I am not authenticated
When I use a GET request
Then I get a 200 response

Given I am a user 
And I am not authenticated
When I User a POST request
Then I get a 401 response

I try to get this to work using spring security like this...

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http.authorizeHttpRequests((authorize) -> authorize
                .requestMatchers(HttpMethod.GET).permitAll()
                .anyRequest().authenticated()
        ).csrf().disable();
        return http.build();
    }

But when I run and try to hit http://localhost:8080 with a GET request I still get a 401. If I remove all of the dependencies from the POM then it goes back to giving me a 200.

What am I missing what do I need to allow requests through without a token?

I also tried this...

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http.authorizeHttpRequests((authorize) -> authorize
                .anyRequest().permitAll()
        ).oauth2ResourceServer( OAuth2ResourceServerConfigurer::jwt );
        return http.build();
    }

But this also provides a 401

Answer 1

The first security configuration you provided intends to match on "every request that is a GET". The method signature is requestMatchers(HttpMethod method, String... patterns) . Your usage omits the patterns, and so matches "no requests that are a GET".

Note: I'm actually surprised that the method allowed you to pass no argument(s) for the patterns parameter. Perhaps that's a worthwhile enhancement suggestion.

In your example, you can do this:

@Configuration
@EnableWebSecurity
public class SecurityConfiguration {

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http
            .authorizeHttpRequests((authorize) -> authorize
                .requestMatchers(HttpMethod.GET, "/**").permitAll()
                .anyRequest().authenticated()
            )
            .oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt);
        return http.build();
    }

}

Note: You do need at least one authentication mechanism specified, which your config is missing.

Answer 2

This seems to work...

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http
                .authorizeHttpRequests(authorize -> authorize
                        .requestMatchers("/").permitAll()
                        .anyRequest().authenticated()
                )
                .oauth2ResourceServer(oauth2 -> oauth2
                        .jwt(Customizer.withDefaults())
                );
        return http.build();
    }