You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I thought the correct way to do this is using .permitAll() in my SecurityWebFilterChain bean, for instance adding before row 43 in the example something like
this works, meaning I can GET any /free-path/something without providing any JWT, but have the problematic behaviour that, if I provide a JWT, this token is evaluated and if it's not valid, e.g. expired, I get a 401 response.
Which is the correct way to add a "free" path?
Can you kindly consider adding a "free" resource to the reactive sample project to make things clearer?
EDIT: actually I am able to mimic ingnoring() approach using this SO suggestion
In non-reactive spring-security I am able to bypass authorization and authentication using "
ignoring()
" in aWebSecurityCustomizer
https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/config/annotation/web/configuration/WebSecurityCustomizer.html
,which is amazing, however I am not able to exploit this behaviour along a "spring-security-powered-oauth2-reactive-resource-server" because the
@EnableWebFluxSecurity
does not allow usingWebSecurityCustomizer
.I thought the correct way to do this is using
.permitAll()
in mySecurityWebFilterChain
bean, for instance adding before row 43 in the example something like.pathMatchers(HttpMethod.GET, "/free-path/**").permitAll()
this works, meaning I can
GET
any/free-path/something
without providing any JWT, but have the problematic behaviour that, if I provide a JWT, this token is evaluated and if it's not valid, e.g. expired, I get a 401 response.Which is the correct way to add a "free" path?
Can you kindly consider adding a "free" resource to the reactive sample project to make things clearer?
EDIT: actually I am able to mimic
ingnoring()
approach using this SO suggestion.securityMatcher(new NegatedServerWebExchangeMatcher(ServerWebExchangeMatchers.pathMatchers("/free-path/**")))
but I am not sure this is the preferred solution and I know from the documentation that
ignoring()
is more for static content than for dynamic oneThe text was updated successfully, but these errors were encountered: