Spring Webflux Security Allow All But One Url

Question

I want to allow all urls defined in a specific controller except one.

Let's say my controller exposes 3 urls with base url /users

1. "/" list all users
2. "/{id}" list user by id
3. "/admin" get admin level details of user.

I want to allow access to 1 and 2 urls to any user except the last one.

I have been doing something like this

@Bean
public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
    http.authorizeExchange()
        .pathMatchers("/users/**")
        .permitAll()
        .pathMatchers("/users/admin")
        .hasRole("ADMIN")
        .anyExchange()
        .authenticated()
        .and()
        .httpBasic()
        .and()
        .formLogin();
    return http.build();
}

But it is not working. I have tried the reverse also i.e.

@Bean
public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
    http.authorizeExchange()
        .pathMatchers("/users/admin")
        .hasRole("ADMIN")
        .anyExchange()
        .authenticated()
        .pathMatchers("/users/**")
        .permitAll()
        .and()
        .httpBasic()
        .and()
        .formLogin();
    return http.build();
}

This is also not working stating that since anyExchange() is already registered next pathMatcher can't be reached.

Answer 1

I found the solution. anyExchange() and authenticated() was causing the issue. anyExchange() was not allowing to add any path matcher further and authenticated() was making the whole app secured one causing each url to prompt for authentication.

Removing these two worked.

@Bean
public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
    http.authorizeExchange()
        .pathMatchers("/users/admin/**")
        .hasRole("ADMIN")
        .pathMatchers("/**").permitAll()
        .and().httpBasic();
    return http.build();
}