Security does not allow access to REST API for unauthenticated users

Hey,

I have a Spring RestController for an external service, that sends API requests to it.

@AnonymousAllowed
@PermitAll
@RestController
@RequestMapping("/api/stripe")
@RequiredArgsConstructor(onConstructor_ = @Autowired)
public class PaymentWebhook {

    @PostMapping("callback")
    public ResponseEntity<?> callback(@RequestBody String payload) {
    }

My SecurityConfig allows access for unauthorized users to all pages starting with "/api, see:

  @Override
  protected void configure(HttpSecurity http) throws Exception {
    http.authorizeHttpRequests().requestMatchers("/public/**", "/line-awesome/**", "/api/**").permitAll();

    super.configure(http);
    setLoginView(http, LoginView.class);
  }

When I am logged in (authenticated with my user), the REST Controller works properly.
In any other case I am getting redirected to login view.

How can this be?

You need to override the other method which take WebSecurity as parameter

You have to tell Vaadin to ignore the /api mapping and probably also disable CSRF
Take a look at this SO question, and see if helps you Spring RequestMapping returning auto generated vaadin html page - Stack Overflow

Did not work

.

I am Not sure what I have to do with that

Because there are no such methods and I am not experienced with Spring Security

    @Override
    protected void configure(WebSecurity web) {
        web.ignoring().requestMatchers("/api/stripe/**");
    }
}```

Ok thanks

I’ll try

Np

Still does not work

I am getting redirected to the login view

Did you tried to add the logger configuration that is present in the SO answer? It should tell you something useful

logging.level.org.springframework.security=DEBUG

It starts with
2023-05-02T21:03:39.141+02:00 DEBUG 61016 — [nio-8080-exec-8] o.s.security.web.FilterChainProxy : Securing GET /login

Even though I am accessing /api/stripe/callback

I dont know what I should do about that

Is there only this line?

I checked and it looks like the method of Stripe gets called, but the response is not displayed due to the redirection to the login page.

Due to an error being thrown I get redirected to the /error page that is not covered by the security config in terms of unauthenticated users