Skip to content

Disable @PreAuthorize filtering #17849

New issue
New issue
Open
Open
Disable @PreAuthorize filtering#17849
Labels
status: waiting-for-triageAn issue we've not yet triagedtype: enhancementA general enhancement
@rcbandit111

Description

@rcbandit111
rcbandit111
opened on Sep 5, 2025

Expected Behavior

I have a Spring Security configuration for permitting all requests:

@Configuration
@EnableWebSecurity
@Profile("no-auth")
public class NoAuthSecurityConfig {

  private static final Logger logger = LoggerFactory.getLogger(NoAuthSecurityConfig.class);

  public NoAuthSecurityConfig() {
  }

  @Bean
  @Order(1)
  public SecurityFilterChain noAuthSecurityFilterChain(final HttpSecurity httpSecurity) throws Exception {
    return httpSecurity
            .csrf(AbstractHttpConfigurer::disable)
            .formLogin(AbstractHttpConfigurer::disable)
            .authorizeHttpRequests(auth ->
                    auth.anyRequest().permitAll()
            )
            .build();
  }
}

Current Behavior

But it's not working for endpoints with: @PreAuthorize. I get:

org.springframework.security.authorization.AuthorizationDeniedException: Access Denied
    at org.springframework.security.authorization.method.ThrowingMethodAuthorizationDeniedHandler.handleDeniedInvocation(ThrowingMethodAuthorizationDeniedHandler.java:38) ~[spring-security-core-6.5.0.jar:6.5.0]
When I remove @PreAuthorize it's working fine.

Do you know what is the correct way to disable Spring Security in Spring Cloud 2025.0.0?

Metadata

Metadata

Assignees

No one assigned

    Labels

    status: waiting-for-triageAn issue we've not yet triagedtype: enhancementA general enhancement

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions