Hi,

I am in the process of learning about Spring Security and have been playing with this project after seeing your presentation on YouTube. I have a query about cutting down the processing of static assets.

I have seen in another blog post that in a WebSecurityConfigurerAdapter class you can override the configure method like this:

@Override
public void configure(WebSecurity web) {
    web.ignoring().mvcMatchers(...);
}

Doing this (I believe) means you can skip the whole filter chain process for specified paths. Am I correct in thinking this would be more efficient?

If so I have had a couple of issues implementing this. I created a new WebSecurityConfigurerAdapter and specified it as the first one to be processed:

@Configuration
@Order(1)
public static class SkipSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    public void configure(WebSecurity web) {
        web.ignoring().mvcMatchers("/assets/**", "/webjars/**");
    }
}

I also removed the .antMatchers("/assets/**", "/webjars/**").permitAll() lines from both other WebSecurityConfigurerAdapter classes (leaving in .antMatchers("/").permitAll() in AppSecurityConfig).

This succeeds in clearing the filter chain if I go to specific resources directly like http://localhost:8080/assets/img/logo.png but breaks the other WebSecurityConfigurerAdapter classes as they no longer seem to be picked up.

Is this a valid thing to be doing and if so how should it be implemented to ensure the 2 existing filter chains work as expected?

Thanks,

David.