Spring Starter OICD, Resource Server: Option to disable the default behavior for authorized/protected routes

[Cammeritz]

Is your feature request related to a problem? Please describe. The default behavior is, that all routes are protected and the non-authorized/anonymous routes must be defined via "permit-all" in the application properties/yml. This behavior is great and best-practice for probably almost all use-cases. The problem i have now with it, is that we have a backend set-up which serves as an url shortener. Thus the routes are /{dynamic} and /admin/**. The /admin/** routes should be protected, but everything else not.

Describe the solution you'd like A setting which allows to change the default behavior from "deny-/**" to "permit-/**". In addition to that the configuration must have the counterpart to the "permit-all" property, which would be "deny-all", to achieve the desired functionality.

Example of how a link could look like: https://spx.cx/this-route-can-also-by-dynamic (redirects to this issue)

[ch4mpy]

As a preamble, the default is not permitAll() / denyAll() but permitAll() / isAuthenticated().

I suggest that you define a path-prefix for shortened URLs. For instance, /u as path prefix and the permit-all=/u/** in conf, you'd keep the default behavior which protects your /admin/**, but also any other route that could be exposed by any starter added at any point in time (authors of which would probably expect the Spring Security default: isAuthenticated()). Sample frequently used starters exposing endpoints are actuator or springdoc-openapi.

If a path-prefix like /u is not acceptable, you can leave permit-all property empty and expose a @Bean implementing:

• ResourceServerHttpSecurityPostProcessor in a servlet resource server
• ClientHttpSecurityPostProcessor in a servlet client with oauth2Login
• ResourceServerAuthorizeExchangeSpecPostProcessor in a reactive servlet
• ClientAuthorizeExchangeSpecPostProcessor in a reactive client with oauth2Login

This allows to define the access control rules for everything that isn't defined as permit-all (default spring-addons-starter-oidc implementation is isAuthenticated(), just like spring-boot-starter-oauth2-client and spring-boot-starter-oauth2-resource-server do)