Java – Spring Boot Security – Anonymous User access on default mapping /


We have Spring boot based Application and We wanted to give the default / mapping access to Anonymous user.
we have added the default index.html (basic page).

In Controller

public ModelAndView defaultViewManager(HttpServletRequest request) {"Default mapping.");
    ModelAndView modelAndView = new ModelAndView("index");
    return modelAndView;


public class SecurityConfig extends WebSecurityConfigurerAdapter {

private static final String SSO_HEADER = "AUTH_USER";

public static final String ADMIN = "ROLE_ADMIN";
public static final String USER = "ROLE_USER";
public static final String ANONYMOUS = "ROLE_ANONYMOUS";

private PreAuthUserDetailsService userDetailsService;

public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {

public PreAuthenticatedAuthenticationProvider preAuthenticatedAuthProvider() {
    UserDetailsByNameServiceWrapper<PreAuthenticatedAuthenticationToken> wrapper =
            new UserDetailsByNameServiceWrapper<PreAuthenticatedAuthenticationToken>    (userDetailsService);

    PreAuthenticatedAuthenticationProvider authProvider = new PreAuthenticatedAuthenticationProvider();
    return authProvider;

public RequestHeaderAuthenticationFilter headerAuthFilter() throws Exception {
    RequestHeaderAuthenticationFilter filter = new RequestHeaderAuthenticationFilter();
    return filter;

The above mentioned code probably not necessary, but for background, we are using a PreAuthenticatedAuthentication Provider

protected void configure(HttpSecurity http) throws Exception {

    // @formatter:off

    // @formatter:on

FYI, I have added the Interceptor too. The Interceptor appears to be triggered, even with the exclude pattern

public void addInterceptors(InterceptorRegistry registry) {     


In the above SecurityConfig code. I tried to permit using .antMatchers("/").permitAll() and added Authority for rest means all /** and /admin/**. But this is not working. please help to mention correct antMatchers to provide the anonymous access to default /mapping only.

Thanks in Advance.

Best Solution

Looks like the antMatchers would need to be re-arranged to fix the precedence. To permit "all requests" at "/" first add anyRequest().permitAll(), then add the restricted directories, and finally the catch-all /** like so:


A view controller can be setup to map directly to the indexroot.html in the template directory (assuming ThymeLeaf):

public void addViewControllers(ViewControllerRegistry registry) {

I believe the interceptor can still be excluded with simply "/", in any order:

public void addInterceptors(InterceptorRegistry registry) {
Related Question