spring-security returns 401 despite authorizeRequests().anyRequest().permitAll()

Question

I\'m using spring-security and spring-security-oauth2 (JWT access tokens) for authentication and authorization. The idea is to let all requests through

Answer 1

You're almost there. It's an easy fix - the javadoc of @EnableResourceServer provides the answer:

Users should add this annotation and provide a @Bean of type ResourceServerConfigurer (e.g. via ResourceServerConfigurerAdapter) that specifies the details of the resource (URL paths and resource id).

You're using a WebSecurityConfigurerAdapter however. Just change it to ResourceServerConfigurerAdapter and enhance the visibility of configure:

@EnableResourceServer
public static class SecurityConfig extends ResourceServerConfigurerAdapter implements JwtAccessTokenConverterConfigurer {
// snip
        @Override
        public void configure(final HttpSecurity http) throws Exception {
            http.csrf().disable();
            http.authorizeRequests().anyRequest().permitAll();
        }
// snip