Spring Security permitall() not working

Describe the bug With permitall() configuration, request still go into filter.

Spring Security 6.1.0

To Reproduce

@Configuration
@EnableWebSecurity
public class JwtSecurityConfiguration {

    @Autowired
    public JwtUtils jwtUtils;

    @Bean
    public AuthenticationManager authenticationManager(AuthenticationConfiguration authenticationConfiguration) throws Exception {
        return authenticationConfiguration.getAuthenticationManager();
    }

    @Bean
    public BCryptPasswordEncoder bCryptPasswordEncoder() {
        return new BCryptPasswordEncoder();
    }

    @Bean
    SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        return http
                .csrf(csrf -> csrf.disable())
                .cors(withDefaults())
                .sessionManagement(sess -> sess.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
                .authorizeHttpRequests(auth -> auth.requestMatchers("/login","/update","/logout").permitAll())
                .authorizeHttpRequests(auth -> auth.requestMatchers("/api/**").authenticated())
                .addFilter(new JWTAuthorizationFilter(authenticationManager(http.getSharedObject(AuthenticationConfiguration.class)), jwtUtils))
                .build();
    }
}

public class JWTAuthorizationFilter extends BasicAuthenticationFilter {

    private static ObjectMapper oMapper = new ObjectMapper();

    JwtUtils jwtUtils;

    public JWTAuthorizationFilter(AuthenticationManager authenticationManager, JwtUtils jwtUtils) {
        super(authenticationManager);
        this.jwtUtils = jwtUtils;
    }


    @Override
    protected void doFilterInternal(HttpServletRequest req,
                                    HttpServletResponse res,
                                    FilterChain chain) throws IOException, ServletException {
           chain.doFilter(req, res);
    }
}

Expected behavior /login request should not enter into filter.

Comment From: marcusdacoregio

Hi @carlwang87, this is expected.

When you configure permitAll() you are telling Spring Security that you do not want any authorization on that endpoint, however, if there is any authentication filter, it will be invoked. See this answer https://stackoverflow.com/a/72971406/5454842.

What you can do is ignore some requests inside the filter itself, see this other answer on StackOverflow https://stackoverflow.com/a/68561393/5454842