Learn how to effectively configure `Spring Boot 3 Security` to ensure your public APIs bypass security filters.
---
This video is based on the question stackoverflow.com/q/74799091/ asked by the user 'Forece85' ( stackoverflow.com/u/6765460/ ) and on the answer stackoverflow.com/a/74799451/ provided by the user 'Marcus Hert da Coregio' ( stackoverflow.com/u/5454842/ ) at 'Stack Overflow' website. Thanks to these great users and Stackexchange community for their contributions.

Visit these links for original content and any more details, such as alternate solutions, latest updates/developments on topic, comments, revision history etc. For example, the original title of the Question was: Spring Boot 3 Security requestMatchers.permitAll not working

Also, Content (except music) licensed under CC BY-SA meta.stackexchange.com/help/licensing
The original Question post is licensed under the 'CC BY-SA 4.0' ( creativecommons.org/licenses/by-sa/4.0/ ) license, and the original Answer post is licensed under the 'CC BY-SA 4.0' ( creativecommons.org/licenses/by-sa/4.0/ ) license.

If anything seems off to you, please feel free to write me at vlogize [AT] gmail [DOT] com.
---
Spring Boot 3 Security: Resolving requestMatchers.permitAll Issues

When working with Spring Boot 3 and Spring Security, developers sometimes encounter challenges with configuring security settings, especially when using requestMatchers.permitAll(). One common issue reported is that the intended public endpoints are still being intercepted by filters, specifically the OncePerRequestFilter. In this post, we will break down the problem and provide a clear, step-by-step solution to ensure that your public APIs act as expected without unnecessary interference from security filters.

Understanding the Problem

What Are We Trying to Achieve?

In your Spring Security configuration, you want certain public APIs (like /generate/** and /validate/**) to be accessible without authentication or interference from security filters. However, it seems that each request to these endpoints is still reaching your SecurityFilter, which logs all incoming requests. This behavior is not only unexpected but can also lead to performance issues due to unnecessary JWT validations.

Code in Question

Here’s a brief look at the problematic Spring Security configuration you are dealing with:

[[See Video to Reveal this Text or Code Snippet]]

This configuration leads to a scenario where requests to /generate/ or /validate/ are unexpectedly processed by the SecurityFilter component.

The Solution

Why is This Happening?

The issue arises because your SecurityFilter is registered as a basic component (@Component), which means it is included in the filter chain that Spring Boot builds. Importantly, the filter chain utilized by Spring Security is separate from the Spring Boot filter chain, and as such, we need to ensure that the public endpoints are configured correctly in both.

Step-by-Step Fix

Here’s how you can resolve this issue and ensure that your public APIs bypass the SecurityFilter:

Remove the Component Annotation:

By annotating SecurityFilter as a component, it gets automatically registered. You will need to remove the @Component annotation:

[[See Video to Reveal this Text or Code Snippet]]

Add the SecurityFilter Manually:

Instead of letting Spring Boot auto-wire the filter, you can add it directly into the SecurityFilterChain configuration. You can use the following method to add your filter before or after an existing filter:

[[See Video to Reveal this Text or Code Snippet]]

Updated Example

Here's how your SecurityFilter and Spring Security configuration would look after applying the changes:

[[See Video to Reveal this Text or Code Snippet]]

Conclusion

By correctly configuring your SecurityFilter and utilizing the SecurityFilterChain, you can ensure that your public APIs such as /generate/** and /validate/** behave as expected without unnecessary authentication checks and logging. Remember, keeping the filter configurations clear and manual when needed is key to avoiding issues in the security flow of your application. Happy coding!