Difference between Web ignoring and Http permitting in Spring Security?

D.Tomov :

What is the difference between these two methods?

 @Override
protected void configure(HttpSecurity http) throws Exception {
    http.authorizeRequests().antMatchers("/api/**").permitAll();
}

@Override
public void configure(WebSecurity web) {
    web.ignoring().antMatchers("/api/**");
}

In a spring security configuration class when I use the HttpSecurity one it still gives me 403 forbidden, but when I use the WebSecurity one it passes fine? Why is that? I feel like i barely control what is permitted and what needs to be authorized via filter.

Nikolas :

I suggest you skim over this article: Spring Security Java Config Preview: Web Security The differences between the two approaches from your codes are:

• HttpSecurity allows configuring web-based security for HTTP requests. At this level, you declare the authentication rules.
• WebSecurity allows configuring things that have a global impact o all of the web security, such as setting the debug mode or enabling further firewall configuration using an implementation of the HttpFirewall or simply ignoring resources as your code shows.

You might be interested in the 3rd configure method of WebSecurityConfigurerAdapter which uses:

• AuthenticationManagerBuilder that enables and assures the authentication mechanism such as LDAP based authentication or the JDBC based one.