How to remove authentication from WebSecurityConfigurerAdapter

Question

I have the class below which uses antMatchers to remove authentication from a public endpoint. However the public endpoint is also being blocked and I keep getting a HTTP/1.1 401. Can anyone please help me to spot what's wrong below?

@Configuration
@EnableWebSecurity
public class WebSecurity extends WebSecurityConfigurerAdapter {

@Autowired
private UsersService usersService;

@Autowired
private UsersRepository usersRepo;    

@Bean
public BCryptPasswordEncoder bCryptPasswordEncoder()
{
    return new BCryptPasswordEncoder();
}

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.cors().and().csrf().disable();
    http.authorizeRequests().antMatchers(HttpMethod.POST, "/public").permitAll()
        .anyRequest().authenticated()                
        .and().addFilter(getAuthenticationFilter());        
}

@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
    auth.userDetailsService(usersService).passwordEncoder(bCryptPasswordEncoder());
}

private AuthenticationFilter getAuthenticationFilter() throws Exception {
    final AuthenticationFilter filter = new AuthenticationFilter(authenticationManager(), 
     usersService);
    return filter;
}

}

---------------update 1-------------------

I tried with http POST, using curl and I get back the below. It seems like the request is caught somewhere but not in the controller I am trying to hit:

$ curl -X POST  http://localhost:8083/public -H 'Content-Type:     
application/json' -H 'cache-control: no-cache' -d '{  
"email":"test2@test.com", "password":"12345678" }' -v

*   Trying ::1:8083...
* Connected to localhost (::1) port 8083 (#0)
> POST /user HTTP/1.1
> Host: localhost:8083
> User-Agent: curl/7.69.1
> Accept: */*
> Content-Type: application/json
> cache-control: no-cache
> Content-Length: 51
>
* upload completely sent off: 51 out of 51 bytes
* Mark bundle as not supporting multiuse
< HTTP/1.1 401
< Set-Cookie: JSESSIONID=72AB25425322A17AE7014832D25284FD; Path=/;    
HttpOnly
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< Cache-Control: no-cache, no-store, max-age=0, must-revalidate
< Pragma: no-cache
< Expires: 0
< X-Frame-Options: DENY
< WWW-Authenticate: Basic realm="Realm"
< Content-Length: 0
< Date: Tue, 31 Mar 2020 11:36:10 GMT
<
* Connection #0 to host localhost left intact

Answer 1

It is difficult to know without seeing all of your code, but I suspect that this has nothing to do with the authorizeRequests() portion of your configuration. Instead, I suspect it is the AuthenticationFilter which is attempting to authenticate the request because you have included credentials in the request. The default is to try to authenticate anytime the AuthenticationConverter returns credentials. Then AuthenticationFailureHandler will respond with HTTP 401 if invalid credentials are provided.

To resolve this, you can remove the credentials from your request. Alternatively, you can limit which requests AuthenticationFilter are invoked on by setting the requestMatcher. Something like this would limit to processing POST to /authenticate:

private AuthenticationFilter getAuthenticationFilter() throws Exception {
    final AuthenticationFilter filter = new AuthenticationFilter(authenticationManager(), 
     usersService);
    filter.setRequestMatcher(new AntPathRequestMatcher("/authenticate", "POST"));
    return filter;
}

Answer 2

You might want to override the WebSecurity method to completely ignore your /public path from Spring Security processing.

@Override
public void configure(WebSecurity web) throws Exception {
    web.ignoring().antMatchers("/public/**");
}