Description
Describe the bug
Starting with Spring Security 6.0.0-M7 (used by Spring Boot 3.0.0-M5), calls to permitAll() when configuring ServerHttpSecurity seem to be ignored.
I'm working on preparing a Spring Boot 2.7-based application for Spring Boot 3.
When upgrading from Spring Boot 3.0.0-M4 to 3.0.0-M5, I started to get 401 on APIs that are configured to not require any authorization. The problem remains in Spring Boot 3.0.0-RC1.
To Reproduce
-
Unzip the attached sample code.
-
Build and start the server with:
./gradlew clean test bootRun -
Run the following three curl commands:
curl localhost:8080/actuator/health -w ", %{http_code}\n" curl localhost:8080/api/open -w ", %{http_code}\n" curl localhost:8080/api/protected -w "%{http_code}\n"Expect them to return:
{"status":"UP"}, 200 {"result":"open"}, 200 401 -
Change the Spring Boot version in the file
build.gradleto3.0.0-M5or3.0.0-RC1 -
Repeat steps 2 and 3. The responses from the curl commands will now be:
, 401 , 401 401
Expected behavior
That the APIs configured to "permit-all" (/actuator/health and /api/open) do not return 401.
Sample
product-composite-service.zip
The Security configuration looks like:
@EnableWebFluxSecurity
public class SecurityConfig {
@Bean
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
http
.authorizeExchange()
.pathMatchers("/actuator/**").permitAll()
.pathMatchers("/api/open").permitAll()
.anyExchange().authenticated()
.and()
.oauth2ResourceServer()
.jwt();
return http.build();
}
}