spring-boot spring-security spring-oauth2

Disabling Spring Security from running based on RequestURI

I want to disable Spring Security from running based on RequestURI. So I don't want to enter the configure method, because I find "AuthenticationManager" in the "auth/findRealm" service.

Java version: 17
Spring Security version: 2.7.4

SecurityClass

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true)
public class SecurityConfig {
    private final AuthenticationEntryPoint authenticationEntryPoint;
    private final AuthenticationEntryPoint tokenAuthenticationEntryPoint;
    private final AuthenticationManagerResolver authenticationManagerResolver;
    private final boolean authenticationEnabled;

    public SecurityConfig(
            @Qualifier("customAuthenticationEntryPoint") AuthenticationEntryPoint authenticationEntryPoint,
            @Qualifier("tokenAuthenticationEntryPoint") AuthenticationEntryPoint tokenAuthenticationEntryPoint,
            AuthenticationManagerResolver authenticationManagerResolver) {
        this.authenticationEntryPoint = authenticationEntryPoint;
        this.tokenAuthenticationEntryPoint = tokenAuthenticationEntryPoint;
        this.authenticationManagerResolver = authenticationManagerResolver;
    }

    @Bean
    public SecurityFilterChain configure(HttpSecurity http) throws Exception {
            http
                    .cors().and()
                    .authorizeRequests()
                    .antMatchers("/auth/findRealm").permitAll()
                    .anyRequest().authenticated()
                    .and().exceptionHandling()
                    .authenticationEntryPoint(authenticationEntryPoint)
                    .and()
                    .oauth2ResourceServer().authenticationEntryPoint(tokenAuthenticationEntryPoint)
                    .authenticationManagerResolver(request -> authenticationManagerResolver.resolveAuthenticationManager(request));
        return http.build();
    }
}

Custom AuthenticationManagerResolver class

@Service
@RequiredArgsConstructor
public class AuthenticationManagerResolver {

    private final AuthenticationClientService authenticationClientService;

    public AuthenticationManager resolveAuthenticationManager(HttpServletRequest request) {
        String applicationCode = request.getHeader("applicationCode");
        String realm = authenticationClientService.findRealm(applicationCode);
        JwtAuthenticationProvider authenticationProvider = new JwtAuthenticationProvider(JwtDecoders.fromIssuerLocation(realm));
        return new ProviderManager(Collections.singletonList(authenticationProvider));
    }
}

How can I overcome this situation?

Solution

To completely disable spring security to apply for certain URLs , you can configure a WebSecurityCustomizer bean to customize WebSecurity :

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true)
public class SecurityConfig {

    @Bean
    public WebSecurityCustomizer webSecurityCustomizer() {
        return (web) -> web.ignoring().requestMatchers("/foo" , "/bar/**");
    }

}

which will disable the spring security to apply for the URL /foo and /bar and and all sub-paths under /bar (e.g. /bar/baz)