Spring Boot in Motion Spring Boot Intermediate

Security filter chain: deny by default

Order matters, and the default is no

Spring Security builds a filter chain that runs before your controllers. Each request walks the chain, picking up authentication, authorization, CSRF, CORS, and headers along the way. The safest default is: deny everything, then explicitly permit the endpoints that need to be public.

@Bean
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
    return http
        .authorizeHttpRequests(a -> a
            .requestMatchers("/public/**", "/actuator/health").permitAll()
            .anyRequest().authenticated())
        .oauth2ResourceServer(r -> r.jwt(Customizer.withDefaults()))
        .csrf(c -> c.disable())  // stateless API — acceptable; cookie-backed apps keep it on
        .build();
}

Takeaways

  • Deny first, permit specifically.
  • Understand the filter order — it is the source of most "why isn't my auth firing?" bugs.
  • CSRF, CORS, and auth are different problems with different solutions.

Enjoying This Lesson?

Your support helps create more comprehensive courses and lessons like this one. Help me build better learning experiences for everyone.

Support Awashyak