Describe the bug The url is configured with no need to verify permissions, but after carrying the token in the header, the validity of the token will still be verified first

图片 图片

To Reproduce Steps to reproduce the behavior. 1、Set configuration to not verify permission url is /** 图片

2、use postman Send a request ,Any request url ,header carry token

图片

Expected behavior This request should be successful,Should not be intercepted, perform permission verification

Sample

Sorry, due to some reasons, we are unable to provide relevant cases。 thanks you

Reports that include a sample will take priority over reports that do not. At times, we may require a sample, so it is good to try and include a sample up front.

Comment From: marcusdacoregio

Hi @chengweng, this behavior is expected with Spring Security filters. If a authentication mechanism is provided in the request, Spring Security will try to authenticate and, if the credential is not valid, a authentication error will happen. I see that you have some custom authentication filters, so, instead of throwing the exception when the credential is invalid, you can just not set a SecurityContext making the AuthorizationFilter responsible to decide whether the request will pass.

We prefer to use GitHub issues only for bugs and enhancements. Feel free to update this issue with a link to the re-posted question (so that other people can find it) or add more detail if you feel this is a genuine bug.

Comment From: chengweng

Hi @chengweng, this behavior is expected with Spring Security filters. If a authentication mechanism is provided in the request, Spring Security will try to authenticate and, if the credential is not valid, a authentication error will happen. I see that you have some custom authentication filters, so, instead of throwing the exception when the credential is invalid, you can just not set a SecurityContext making the AuthorizationFilter responsible to decide whether the request will pass.

We prefer to use GitHub issues only for bugs and enhancements. Feel free to update this issue with a link to the re-posted question (so that other people can find it) or add more detail if you feel this is a genuine bug.

thanks you