Assuming, that I have an endpoint that is accessible only to authenticated users,
now I want to grant access to non-authorized users as well.
Do I need to expect that Spring Security will try to authorize the user even when the user is trying to reach the public endpoint?
I mean, will I be able to determine who exactly is reaching the public endpoint - authorized or non-authorized user?
Do I need to expect that Spring Security will try to authorize the user even when the user is trying to reach the public endpoint?
No, Spring Security will not apply any authorization if you configured an endpoint with permitAll(). However, if there is any authentication mechanism configured, it will try to authenticate.
Consider the following configuration:
http
.authorizeHttpRequests(authorize -> authorize
.requestMatchers("/public").permitAll()
)
.httpBasic(Customizer.withDefaults());
If you make a request to /public with the wrong basic credentials, the request will fail because the authentication failed, even if this is a public endpoint. On the other hand, if you provide valid credentials, Spring Security will authenticate the user but won't use it for authorization.