Custom Spring Security gotcha

Today, I created a new Spring Boot app.

I spent a few hours trying to stop Spring Security from blocking even my resources. And in my WebSecurityConfigurerAdapter extension I had written


from the beginning, so why didn’t it work?

The answer is simple:

protected void configure(HttpSecurity http)

is an overriden method. And I forgot to remove the


call from the end— and it called:


Thus, my security setup was completely ignored.

Lesson for today: Watch your overrides.