Spring Security filter chain not ignoring specified path [duplicate]

Answer 1

Just a suggestion.

Is it possible, that you are hitting not authentication, but cors?

Authentication - HTTP status 401

CORS - HTTP status 403

if you enable cors and don't configure it, it doesn't permitt any cros-origin requests. From CorsConfiguration javadoc:

By default a newly created CorsConfiguration does not permit any cross-origin requests and must be configured explicitly to indicate what should be allowed.

Answer 2

Thanks to @dur for asking if I was using Spring Boot, which led me to the solution.

This is made me start thinking about how Spring Boot likes to automagically create beans for us on the fly, which ended up being the culprit here. Turns out that my JwtAuthenticationFilter class was being automatically put into the filter chain by Spring Boot, but also being included in the security filter chain when I explicitly declared it in my security config. So although I was correct to exclude /auth/token in the ignoring() method in security config, that wasn't enough to stop the filter from happening in the context of Spring Boot itself. The solution was to configure a bean that explicitly prevents it from being added by Spring Boot

@Bean
public RegistrationBean jwtAuthFilterRegister(JwtAuthenticationFilter filter) {
    FilterRegistrationBean registrationBean = new FilterRegistrationBean(filter);
    registrationBean.setEnabled(false);
    return registrationBean;
}