I am using spring security, and I would like to know how to add multiple request matchers, one for "auth / **" (which should allow anonymous requests) and "prod / **" (which should allow only if authenticated). I am using spring boot 3
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception
{
return http
.csrf(csrf ->
csrf
.disable())
.authorizeHttpRequests((authRequest) ->{
authRequest
.requestMatchers("/auth/**").permitAll()
.anyRequest().anonymous();
authRequest.anyRequest().authenticated();
}
)
.sessionManagement(sessionManager->
sessionManager
.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
.authenticationProvider(authProvider)
.addFilterBefore(jwtAuthenticationFilter, UsernamePasswordAuthenticationFilter.class)
.build();
}
About your problem you have to rewrite this part of SecurityFilterChain
to meet that you want to achieve.
…
.authorizeHttpRequests((authRequest) ->{
authRequest
.requestMatchers("/auth/**").permitAll()
.anyRequest().authenticated();
}
)
…
To have more details about how it work and also why it should be so I really suggest to check/read documentation part about it and also a good advice for you is to go through all documentation because it is the best way to understand.