Spring Security permit paths with the same suffix

Question

In my JWT authenticated API I want these paths to be accessible without any authentication, and all other endpoints to be disallowed/disabled:

GET /apis/id/{id}
POST /apis
PATCH /apis/id/{id}
DELETE /apis/id/{id}
GET /swagger-ui.html

As you can see most of the above endpoints begin with /apis/id, POST has /apis. Here is my configurations:

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {


    @Override
    protected void configure(HttpSecurity httpSecurity) throws Exception {
        httpSecurity.authorizeRequests()
           .mvcMatchers(HttpMethod.GET,"/apis/id/**").permitAll()
           .mvcMatchers(HttpMethod.PATCH,"/apis/id/**").permitAll()
           .mvcMatchers(HttpMethod.DELETE,"/apis/id/**").permitAll()
           .mvcMatchers(HttpMethod.POST,"/apis", "/apis/").permitAll()
           .antMatchers(HttpMethod.GET,"/csrf","/v2/api-docs","/swagger-resources/configuration/ui",  "/configuration/ui", "/swagger-resources", "/configuration/security", "/swagger-ui.html", "/webjars/**","/swagger-resources/configuration/ui","/swagger-resources/configuration/security", "/configuration/security").permitAll()// for Swagger UI
        .anyRequest().denyAll();
    }
}

Only GET /apis/id/{id} and /swagger-ui.html get through. The other endpoints with the identical configs (except for POST) all got rejected (403). I added an exception handler and print out the AuthenticationException message, and it says:

Full authentication is required to access this resource path

How do I make these endpoints public? I feel like I am missing some configurations.

Framworks I am using:

Spring Boot version 2.0.4
Spring Security version 5.1.0

Spring Security permit paths with the same suffix

Answers (1)

Related Questions