
Baeldung Pro comes with both absolutely No-Ads as well as finally with Dark Mode, for a clean learning experience:
Once the early-adopter seats are all used, the price will go up and stay at $33/year.
Last updated: January 30, 2025
Spring Security provides multiple mechanisms to configure request patterns as unsecured or to allow unrestricted access. In this article, we’ll explore two commonly used approaches: permitAll() and web.ignoring() and how they work within Spring Security.
Configuring permitAll()Â allows all requests on the specified path without disabling the security filters. This ensures that Spring Security-related functionality, such as logging, session management, and CSRF protection, remains active.
Using Java configuration, we can enable access to the /login* path:
http.authorizeHttpRequests(authorizationManagerRequestMatcherRegistry ->
authorizationManagerRequestMatcherRegistry
.requestMatchers("/login*").permitAll()
);
This configuration ensures that the /login* path is accessible to everyone while keeping the security filters active. It’s particularly useful for login pages, where some Spring Security features, such as CSRF tokens, are required.
In Java configuration, we can exclude the security filter chain for specific paths, such as static resources:
web.ignoring().antMatchers("/resources/**");
This approach is useful for paths where no security processing is needed, such as serving static assets like images, CSS, and JavaScript files. However, it’s important to note that Spring Security features, such as logging or CSRF tokens, won’t be available for these paths.
When using configurations like web.ignoring(), the order of definition matters. Specific paths must be defined before universal match patterns like “/**“.
More specific patterns should be defined before more general ones to ensure proper matching. If the universal pattern “/**” is defined before other patterns, it overrides them, causing the application to fail with an error:
Caused by: java.lang.IllegalArgumentException: A universal match pattern ('/**')
is defined before other patterns in the filter chain, causing them to be ignored.
Please check the ordering in your <security:http> namespace or FilterChainProxy bean configuration
at o.s.s.c.h.DefaultFilterChainValidator.checkPathOrder(DefaultFilterChainValidator.java:49)
at o.s.s.c.h.DefaultFilterChainValidator.validate(DefaultFilterChainValidator.java:39)
In this tutorial, we discussed the options for allowing access to a path using Spring Security. We explored the key differences between permitAll() and web.ignoring(), highlighting their use cases and scenarios where each approach is most suitable.