spring-security icon indicating copy to clipboard operation
spring-security copied to clipboard
verified publisher icon spring-projects

Document Authentication Semantics for Public Endpoints

Open jzheaux opened this issue 2 years ago • 3 comments

A common question is "why do my public endpoints fail with a 401 when they are given invalid credentials?"

The answer I usually give is:

This is by design. Generally speaking, an authorization system would need to know who the user is before knowing whether the user can do X, Y, or Z operation. And even with a public endpoint, the endpoint may behave differently when a user is in context. So, in the end, they are separate systems with authentication coming first: If a request presents credentials, then the framework will try and authenticate the user and accept or deny the request accordingly.

This should be documented somewhere, including how to configure public endpoints so that they never attempt authentication.

jzheaux avatar Nov 08 '23 20:11 jzheaux

I am facing same issue, public endpoint getting same 401 error how can i configure public endpoints ?

musaddique91 avatar Nov 12 '23 18:11 musaddique91

Hi @jzheaux , I want to work on this issue, I am thinking of adding a tip and a sample after authorize-requests section in servlet authorization page. what do you think ?

ahmd-nabil avatar Dec 02 '23 18:12 ahmd-nabil

@ahmd-nabil @jzheaux Hi all, could somebody help pls, how i can resolve it in latest spring-boot version(3.3.1)? When i create two filter chain for pub and security paths, on security paths got formLogin, but it disabled by: .httpBasic { it.disable() } .formLogin { it.disable() }

youagree avatar Jul 01 '24 18:07 youagree