Skip to content
This repository has been archived by the owner on May 25, 2021. It is now read-only.

Commit

Permalink
Add comment about issues when including a token to permitAll routes (#47
Browse files Browse the repository at this point in the history
)
  • Loading branch information
jimmyjames authored May 8, 2020
1 parent 4c37e01 commit 0e3db27
Showing 1 changed file with 4 additions and 0 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,10 @@ protected void configure(HttpSecurity http) throws Exception {
.forRS256(apiAudience, issuer)
.configure(http)
.authorizeRequests()

// Note: If passing an Authorization header, Spring Security will validate it even with permitAll()
// You can ignore security filters if this is an issue for you, as discussed here:
// https://stackoverflow.com/questions/36296869/spring-security-permitall-still-considering-token-passed-in-authorization-header
.antMatchers(HttpMethod.GET, "/api/public").permitAll()
.antMatchers(HttpMethod.GET, "/api/private").authenticated()
.antMatchers(HttpMethod.GET, "/api/private-scoped").hasAuthority("read:messages");
Expand Down

0 comments on commit 0e3db27

Please sign in to comment.