I want to disable Spring Security from running based on RequestURI. So I don't want to enter the configure method, because I find "AuthenticationManager" in the "auth/findRealm" service.

我想禁止Spring Security基于RequestURI运行。因此，我不想进入配置方法，因为我在“auth/findRealm”服务中找到了“AuthenticationManager”。

Java version: 17
Spring Security version: 2.7.4

SecurityClass

安全类

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true)
public class SecurityConfig {
    private final AuthenticationEntryPoint authenticationEntryPoint;
    private final AuthenticationEntryPoint tokenAuthenticationEntryPoint;
    private final AuthenticationManagerResolver authenticationManagerResolver;
    private final boolean authenticationEnabled;

    public SecurityConfig(
            @Qualifier("customAuthenticationEntryPoint") AuthenticationEntryPoint authenticationEntryPoint,
            @Qualifier("tokenAuthenticationEntryPoint") AuthenticationEntryPoint tokenAuthenticationEntryPoint,
            AuthenticationManagerResolver authenticationManagerResolver) {
        this.authenticationEntryPoint = authenticationEntryPoint;
        this.tokenAuthenticationEntryPoint = tokenAuthenticationEntryPoint;
        this.authenticationManagerResolver = authenticationManagerResolver;
    }

    @Bean
    public SecurityFilterChain configure(HttpSecurity http) throws Exception {
            http
                    .cors().and()
                    .authorizeRequests()
                    .antMatchers("/auth/findRealm").permitAll()
                    .anyRequest().authenticated()
                    .and().exceptionHandling()
                    .authenticationEntryPoint(authenticationEntryPoint)
                    .and()
                    .oauth2ResourceServer().authenticationEntryPoint(tokenAuthenticationEntryPoint)
                    .authenticationManagerResolver(request -> authenticationManagerResolver.resolveAuthenticationManager(request));
        return http.build();
    }
}

Custom AuthenticationManagerResolver class

自定义身份验证管理器Resolver类

@Service
@RequiredArgsConstructor
public class AuthenticationManagerResolver {

    private final AuthenticationClientService authenticationClientService;

    public AuthenticationManager resolveAuthenticationManager(HttpServletRequest request) {
        String applicationCode = request.getHeader("applicationCode");
        String realm = authenticationClientService.findRealm(applicationCode);
        JwtAuthenticationProvider authenticationProvider = new JwtAuthenticationProvider(JwtDecoders.fromIssuerLocation(realm));
        return new ProviderManager(Collections.singletonList(authenticationProvider));
    }
}

How can I overcome this situation?

我该如何克服这种情况？

To completely disable spring security to apply for certain URLs , you can configure a WebSecurityCustomizer bean to customize WebSecurity :

要完全禁用Spring安全来应用某些URL，您可以配置WebSecurityCustomizer Bean来自定义WebSecurity：

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true)
public class SecurityConfig {

    @Bean
    public WebSecurityCustomizer webSecurityCustomizer() {
        return (web) -> web.ignoring().requestMatchers("/foo" , "/bar/**");
    }

}

which will disable the spring security to apply for the URL /foo and /bar and and all sub-paths under /bar (e.g. /bar/baz)

这将禁用Spring安全来申请URL/foo和/bar以及/bar下的所有子路径(例如/bar/baz)