Document Authentication Semantics for Public Endpoints

[jzheaux]

A common question is "why do my public endpoints fail with a 401 when they are given invalid credentials?"

The answer I usually give is:

This is by design. Generally speaking, an authorization system would need to know who the user is before knowing whether the user can do X, Y, or Z operation. And even with a public endpoint, the endpoint may behave differently when a user is in context. So, in the end, they are separate systems with authentication coming first: If a request presents credentials, then the framework will try and authenticate the user and accept or deny the request accordingly.

This should be documented somewhere, including how to configure public endpoints so that they never attempt authentication.

[musaddique91]

I am facing same issue, public endpoint getting same 401 error
how can i configure public endpoints ?

[ahmd-nabil]

Hi @jzheaux , I want to work on this issue, I am thinking of adding a tip and a sample after authorize-requests section in servlet authorization page. what do you think ?

[youagree]

@ahmd-nabil @jzheaux Hi all, could somebody help pls, how i can resolve it in latest spring-boot version(3.3.1)? When i create two filter chain for pub and security paths, on security paths got formLogin, but it disabled by:
.httpBasic { it.disable() } .formLogin { it.disable() }