Spring Security Default url are authenticated when any security matcher is specified

authentication-bug.zip Spring boot 3.2.3 Code to reproduce is attached. Start own authorization server before and update properties.yaml before start application See comments: ```
@Bean public SecurityFilterChain security(HttpSecurity http) throws Exception { return http .cors(withDefaults()) .authorizeHttpRequests(config -> { config .requestMatchers("", "/v3/api-docs/", "/swagger-ui/").permitAll() .anyRequest().authenticated(); } ) .securityMatcher("/tech/").httpBasic(withDefaults()) //add it makes default url public .oauth2ResourceServer(configurer -> configurer.jwt(withDefaults())) .build(); }

Comment From: lowcasz

I have found it when trying to solve this problem: https://github.com/spring-projects/spring-boot/issues/40030

Comment From: jzheaux

Hi, @lowcasz. I'm sorry you are having trouble, and thanks for reaching out.

As far as I've understood, you've described the expected behavior. When you use securityMatcher, that states which subset of the site you would like Spring Security to secure. The configuration above will only apply Spring Security's protection to endpoints that start with /tech.

This means Spring Security won't secure an endpoint like /.

If you want different authentication mechanisms for different endpoints, you can either publish your own AuthenticationFilter and AuthenticationManagerResolver or you can publish multiple filter chains.

I'm going to close this and encourage you to continue this on StackOverflow. I'd be happy to support you over there if you paste the link to your question here.