Spring Security WebSecurity#ignoring() doesn't have an effect

Summary

When you set web.ignoring().antMatchers("/resources/**") filters are still applying to "/resources/" containing URLs

Actual Behavior

1. set web.ignoring().antMatchers("/resources/**")
2. debug FilterChainProxy#doFilterInternal
3. see block "if (filters == null || filters.size() == 0)" which applies default filter

Expected Behavior

If you set web.ignoring().antMatchers("/resources/**") - "/resources/" containing URLs should execute empty filter chain

Configuration

web.ignoring().antMatchers("/resources/**")

Version

spring-boot-starter-security 1.3.2.RELEASE uses 4.0.3.RELEASE

Comment From: rwinch

Thanks for the report. Can you provide a sample? I am unable to reproduce this.

Comment From: dzharikhin

Oh, sorry. Just found my custom filter is exposed as bean and that's why it was presented in default filter chain. Prepare snippet is goot practice! Thank you

Comment From: hvgotcodes

I'm seeing this too. I have a custom PreAuth provider and PreAuth filter. Even with

web.ignoring().andMatchers("/e1")

my custom auth provider is still being invoked. Am I supposed to not return anything from the pre auth filter in this case?

Comment From: alrawasabed

hello @hvgotcodes did you find a solution for your case? I see the same behavior you described while having this in a ResourceServerConfigurer: .addFilterBefore(myCustomFilter(), AbstractPreAuthenticatedProcessingFilter.class)