Spring Security 6 Config for non authenticated Endpoints not working

Question

After updating Spring Boot to version 3.0.1 and Spring Security 6.0 the public endpoints without authentication are no longer working. I'm followed the upgrade guide for Spring Security 6 and removed the WebSecurityConfigurerAdapter.

My Security Config:

@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true, jsr250Enabled = true)
public class SecurityConfig {

    @Value("${auth0.audience}")
    private String audience;

    @Value("${spring.security.oauth2.resourceserver.jwt.issuer-uri}")
    private String issuer;

    @Bean
    JwtDecoder jwtDecoder() {
        NimbusJwtDecoder jwtDecoder = (NimbusJwtDecoder)
                JwtDecoders.fromOidcIssuerLocation(issuer);

        OAuth2TokenValidator<Jwt> audienceValidator = new AudienceValidator(audience);
        OAuth2TokenValidator<Jwt> withIssuer = JwtValidators.createDefaultWithIssuer(issuer);
        OAuth2TokenValidator<Jwt> withAudience = new DelegatingOAuth2TokenValidator<>(withIssuer, audienceValidator);

        jwtDecoder.setJwtValidator(withAudience);

        return jwtDecoder;
    }

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity httpSecurity) throws Exception {
        return httpSecurity
                .csrf(csrf -> csrf.disable())
                .authorizeHttpRequests(auth -> auth
                        .requestMatchers("/rest/public/**").permitAll()
                        .anyRequest().authenticated()
                )
                .sessionManagement(sess -> sess.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
                .oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt)
                .build();
    }
}

I'm using Postman to execute GET-Calls (eg. http://localhost:8090/rest/public/export/) to my application and it keeps telling me that authentication is need -> 401 Unauthenticated

Spring Security specific Startup Logs

swordEncoderAuthenticationManagerBuilder : No authenticationProviders and no parentAuthenticationManager defined. Returning null.
o.s.s.web.DefaultSecurityFilterChain     : Will secure any request with [org.springframework.security.web.session.DisableEncodeUrlFilter@6acb45c1, org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@294c44b7, org.springframework.security.web.context.SecurityContextHolderFilter@5dd23809, org.springframework.security.web.header.HeaderWriterFilter@13390a96, org.springframework.security.web.csrf.CsrfFilter@af9dd34, org.springframework.security.web.authentication.logout.LogoutFilter@3f80d8c, org.springframework.security.oauth2.server.resource.web.authentication.BearerTokenAuthenticationFilter@41bd6a0f, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@60ab895f, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@78bd02c8, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@30bbe83, org.springframework.security.web.access.ExceptionTranslationFilter@57b33c29, org.springframework.security.web.access.intercept.AuthorizationFilter@3c8fe8ad]
o.s.b.w.embedded.tomcat.TomcatWebServer  : Tomcat started on port(s): 8090 (http) with context path 

Logs when calling an public endpoint:

o.s.security.web.FilterChainProxy        : Securing GET /rest/public/export/
o.s.s.w.a.AnonymousAuthenticationFilter  : Set SecurityContextHolder to anonymous SecurityContext
o.s.s.w.s.HttpSessionRequestCache        : Saved request http://localhost:8090/rest/public/export/?continue to session

I've followed this guide: https://docs.spring.io/spring-security/reference/migration/index.html

Answer 1

You need to declare your class as @Configuration because otherwise the declared @Beans won't be created and registered in the application context. It should look like this:

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true, jsr250Enabled = true)
public class SecurityConfig {