Url mark as "permitAll" is still checking the header token

[Ruochao Zheng]

Hi,

I'm using the JWT and HeaderClient (also use AnonymousClient) to do authentication in spring environment. And I have some urls are marked as "permitAll" and some of them are marks as "isAuthenticated".

So my question is the urls marked as "isAuthenticated" will check the header which is fine.

But for that url marked as "permitAll", if I also pass the same header with invalid value, it will still check it and throw exception.

Do you know why is the behavior like that?

Thanks,

Rick

[Jérôme LELEU]

Hi,

Yes, this is the standard behavior: if we find a header with a value, we check it.

For anonymous access, you should not pass the header.

Thanks.

Best regards,

Jérôme

--
You received this message because you are subscribed to the Google Groups "pac4j-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-users+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.