Spring Security No way to allow one resource among a set of REST resources from doing BASIC auth

I have an application with following resources ,

• POST /car
• Create API POST /car/{someId}
• Update API GET /car/insurace
• POST /car/insurance-note - Required Basic AUTH

Only the last API needs basic auth , the rest above urls should allow everyone regardless if a "BASIC xxxx" . header is passed or not.

I have a configuration as follows,

http
                .antMatcher("/car/insurance-note")
                .httpBasic()
                .and().authorizeRequests().antMatchers("/car/**").permitAll();

This does allow access to other URLS regardless if I pass a BASIC header or not. However , it also allows the car/insurance note in without a BASIC header.

Then I changed the configuration to ,

http.authorizeRequests()
            .antMatchers("/car/insurance-note")
            .hasAuthority("USER")
            .and()
            .httpBasic()
            .and()
            .authorizeRequests()
            .antMatchers("/car/**")
            .permitAll();

Now , as well it looks like anytime a request has a "BASIC xxx" header the permit all does not work.

Comment From: jzheaux

Thanks for getting in touch! It feels like this is a question that would be better suited to Stack Overflow. We prefer to use GitHub issues only for bugs and enhancements. Feel free to update this issue with a link to the re-posted question (so that other people can find it) or add more detail if you feel this is a genuine bug.

Comment From: bhattacharyyasom

I actually did raise a post on Stack overflow and I did not get any traction on it. @jzheaux is there a documentation to clearly understand how the httpsecurity API works. I am unable to find help on spring docs.