Spring security 401 Unauthorized on unsecured endpoint

Spring Boot was not applying the configuration because couldn't find it. On Application.java config package was not included with @ComponentScan anotation.

After some researching, here is solution:

@SpringBootApplication(exclude = {SecurityAutoConfiguration.class })@ComponentScan(basePackages = { PackageConstants.PACKAGE_CONTROLLERS_REST, PackageConstants.PACKAGE_SERVICES,        PackageConstants.PACKAGE_SERVICES_IMPL, PackageConstants.PACKAGE_MONGO_REPOSITORIES,        PackageConstants.PACKAGE_MONGO_REPOSITORIES_IMPL, PackageConstants.PACKAGE_UTILS })public class Application {    // Clase principal que se ejecuta en el bootrun    public static void main(String[] args) {        SpringApplication.run(Application.class, args);    }}

Main line is @SpringBootApplication(exclude = {SecurityAutoConfiguration.class }) it tells not use Spring Boot Security AutoConfiguration configuration. It is not full answer, because now you have to tell Spring user your Spring Security configuration class. Also i advice you to create Initializer class with init Root Config Classes, ApplicationConfiguration using and refuse to use SpringBoot applications. Something like this:

ApplicationConfig:

@Configuration@EnableWebMvc@ComponentScan("com.trueport.*")@PropertySource("classpath:app.properties")public class ApplicationConfig extends WebMvcConfigurerAdapter {    ....}

ApplicationSecurityConfig:

@Configuration@EnableWebSecurity@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)public class ApplicationSecurityConfig extends WebSecurityConfigurerAdapter {    ....}

Initializer:

public class Initializer implements WebApplicationInitializer {    private static final String DISPATCHER_SERVLET_NAME = "dispatcher";    @Override    public void onStartup(ServletContext servletContext) throws ServletException {        AnnotationConfigWebApplicationContext ctx = new AnnotationConfigWebApplicationContext();        ....        DispatcherServlet dispatcherServlet = new DispatcherServlet(ctx);        dispatcherServlet.setThrowExceptionIfNoHandlerFound(true);        ctx.register(ApplicationConfig.class);        ServletRegistration.Dynamic servlet =     servletContext.addServlet(DISPATCHER_SERVLET_NAME,            dispatcherServlet);        servlet.addMapping("/");        servlet.setLoadOnStartup(1);        servlet.setAsyncSupported(true);    }}

You need to add the following to your configure method /error is the default fall back when error occurs to the application due to any exception and it is secured by default.

protected void configure(HttpSecurity httpSecurity) throws Exception {//disable CRSFhttpSecurity        //no authentication needed for these context paths        .authorizeRequests()        .antMatchers("/error").permitAll()        .antMatchers("/error/**").permitAll()        .antMatchers("/your Urls that dosen't need security/**").permitAll()

Also the below code snippet

     @Override       public void configure(WebSecurity webSecurity) throws Exception         {          webSecurity          .ignoring()           // All of Spring Security will ignore the requests           .antMatchers("/error/**")          }  

Now you will not get 401 and get 500 exception with details when an exception occurred for permitAll Urls