I am using Spring Boot 3 for my REST application and want to exclude some REST Endpoints from Authorization.
Take this REST Controller as an example:
@RestController@RequestMapping("/api/rest/products")class ProductController { ... }My Security config looks like this:
@Beanpublic SecurityFilterChain securityFilterChain(HttpSecurity http) { http.authorizeHttpRequests(authorize -> authorize. requestMatchers("/api/rest/products").permitAll() .anyRequest().authenticated() ); ...}But this doesn't work. The /products endpoint still demands an Authorization Header. It only works when I provide a regex like this:
requestMatchers("**").permitAll()Now all endpoints won't require the Auth header. What am I doing wrong? I haven't yet found a proper string to only exclude the /products endpoint.