Custom Spring Security gotcha

Today, I created a new Spring Boot app.

I spent a few hours trying to stop Spring Security from blocking even my resources. And in my WebSecurityConfigurerAdapter extension I had written

http
.anyRequest().permitAll()

from the beginning, so why didn’t it work?

The answer is simple:

@Override
protected void configure(HttpSecurity http)

is an overriden method. And I forgot to remove the

super.configure(http);

call from the end— and it called:

http
.authorizeRequests()
.anyRequest().authenticated()
.and()
.formLogin().and()
.httpBasic();

Thus, my security setup was completely ignored.

Lesson for today: Watch your overrides.