After checking out the source code, from what i understand, this behaviour is configured default by CAS.
I'm not sure about the reason behind setting basic security by default every other path, but without changing the default behaviour and not knowing even if it's a good idea(probably not), you can use `cas.monitor.endpoints.ignored-endpoints` setting, by giving a global path config. In my local test environment(CAS 7.3.0), i've tried it like this: with default configs(embedded tomcat runs app at https://cas.example.com:8443/cas): 2025-11-04 22:40:22,191 INFO [org.springframework.boot.web.embedded.tomcat.TomcatWebServer] - <Tomcat started on port 8443 (https) with context path '/cas'> cas: monitor: endpoints: ignored-endpoints: - /** endpoint: defaults: access: ANONYMOUS with giving a globally ignoring path, any unknown paths did not get forced by basic authentication and https://cas.example.com:8443/cas/x started returning like this: {{"type":"ResourceNotFound","title":"HTTP Resource Not Found","status":404,"detail":"The HTTP resource is not found","instance":"/cas/x"} And here's an excerpt from my gpt convo(verify before believing): ⚠️ A note on the risk of “/**” You’re not actually disabling CAS’s login or SSO security; those are wired by their own security config: Configuring protocol endpoints [[/login**, /logout**, /validate**, ...]] to exclude/ignore from http security So /** in the monitor block won’t override that. It just prevents CAS’s *actuator/monitor* security layer from triggering Basic Auth for missing resources. ✅ TL;DR Recommended Config cas: monitor: endpoints: ignored-endpoints: - /** endpoint: defaults: access: ANONYMOUS Then restart CAS, curl /cas/something, and you should always get a clean JSON 404 — no BasicAuth challenge, no login redirect. Hope it helps. Some details: Default behaviour trace logs that Secures the unknown paths by invoking the BasicAuthenticationFilter : cas-server-support-webconfig -> org.apereo.cas.web.security.CasWebSecurityConfigurerAdapter class's configureHttpSecurity method calls the configureEndpointAccessToDenyUndefined method <https://github.com/apereo/cas/blob/v7.3.0/support/cas-server-support-webconfig/src/main/java/org/apereo/cas/web/security/CasWebSecurityConfigurerAdapter.java#L150> 2025-11-04 23:05:27,944 TRACE [org.springframework.security.web.FilterChainProxy] - <Trying to match request against DefaultSecurityFilterChain defined as 'casWebSecurityConfigurerAdapter' in [class path resource [org/apereo/cas/config/CasWebSecurityConfiguration$CasWebappCoreSecurityConfiguration.class]] matching [any request] and having filters [DisableEncodeUrl, HttpsRedirect, WebAsyncManagerIntegration, SecurityContextHolder, Cors, Csrf, BasicAuthentication, RequestCacheAware, SecurityContextHolderAwareRequest, AnonymousAuthentication, ExceptionTranslation, Authorization] (1/1)> 2025-11-04 23:05:27,944 DEBUG [org.springframework.security.web.FilterChainProxy] - <Securing GET /x> 2025-11-04 23:05:27,944 TRACE [org.springframework.security.web.FilterChainProxy] - <Invoking DisableEncodeUrlFilter (1/12)> 2025-11-04 23:05:27,944 TRACE [org.springframework.security.web.FilterChainProxy] - <Invoking HttpsRedirectFilter (2/12)> 2025-11-04 23:05:27,944 TRACE [org.springframework.security.web.FilterChainProxy] - <Invoking WebAsyncManagerIntegrationFilter (3/12)> 2025-11-04 23:05:27,944 TRACE [org.springframework.security.web.FilterChainProxy] - <Invoking SecurityContextHolderFilter (4/12)> 2025-11-04 23:05:27,944 TRACE [org.springframework.security.web.FilterChainProxy] - <Invoking CorsFilter (5/12)> 2025-11-04 23:05:27,944 TRACE [org.springframework.security.web.FilterChainProxy] - <Invoking CsrfFilter (6/12)> 2025-11-04 23:05:27,944 TRACE [org.springframework.security.web.csrf.CsrfTokenRequestAttributeHandler] - <Wrote a CSRF token to the following request attributes: [_csrf, org.springframework.security.web.csrf.CsrfToken]> 2025-11-04 23:05:27,944 TRACE [org.springframework.security.web.csrf.CsrfFilter] - <Did not protect against CSRF since request did not match And [PathPattern [/webauthn/**], Not [Or [org.apereo.cas.config.WebAuthnConfiguration$WebAuthnRepositoryConfiguration$WebAuthnSecurityConfiguration$1$$Lambda/0x00007f0708d5c000@3efe4622]]]> 2025-11-04 23:05:27,944 TRACE [org.springframework.security.web.FilterChainProxy] - <Invoking BasicAuthenticationFilter (7/12)> 2025-11-04 23:05:27,945 TRACE [org.springframework.security.web.authentication.www.BasicAuthenticationFilter] - <Did not process authentication request since failed to find username and password in Basic Authorization header> 2025-11-04 23:05:27,945 TRACE [org.springframework.security.web.FilterChainProxy] - <Invoking RequestCacheAwareFilter (8/12)> 2025-11-04 23:05:27,945 TRACE [org.springframework.security.web.savedrequest.HttpSessionRequestCache] - <matchingRequestParameterName is required for getMatchingRequest to lookup a value, but not provided> 2025-11-04 23:05:27,945 TRACE [org.springframework.security.web.FilterChainProxy] - <Invoking SecurityContextHolderAwareRequestFilter (9/12)> 2025-11-04 23:05:27,945 TRACE [org.springframework.security.web.FilterChainProxy] - <Invoking AnonymousAuthenticationFilter (10/12)> 2025-11-04 23:05:27,945 TRACE [org.springframework.security.web.FilterChainProxy] - <Invoking ExceptionTranslationFilter (11/12)> 2025-11-04 23:05:27,945 TRACE [org.springframework.security.web.FilterChainProxy] - <Invoking AuthorizationFilter (12/12)> 2025-11-04 23:05:27,945 TRACE [org.springframework.security.web.access.intercept.RequestMatcherDelegatingAuthorizationManager] - <Authorizing GET /x> 2025-11-04 23:05:27,945 TRACE [org.springframework.security.web.access.intercept.RequestMatcherDelegatingAuthorizationManager] - <Denying request since did not find matching RequestMatcher> 2025-11-04 23:05:27,946 TRACE [org.springframework.security.web.context.SupplierDeferredSecurityContext] - <Created SecurityContextImpl [Null authentication]> 2025-11-04 23:05:27,946 TRACE [org.springframework.security.web.context.HttpSessionSecurityContextRepository] - <Did not find SecurityContext in HttpSession TST-2-****************L0z4rpH-YGPC using the SPRING_SECURITY_CONTEXT session attribute> 2025-11-04 23:05:27,946 TRACE [org.springframework.security.web.context.SupplierDeferredSecurityContext] - <Created SecurityContextImpl [Null authentication]> 2025-11-04 23:05:27,946 TRACE [org.springframework.security.web.authentication.AnonymousAuthenticationFilter] - <Set SecurityContextHolder to AnonymousAuthenticationToken [Principal=anonymousUser, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=127.0.0.1, SessionId=TST-2-****************L0z4rpH-YGPC], Granted Authorities=[ROLE_ANONYMOUS]]> 2025-11-04 23:05:27,946 TRACE [org.springframework.security.web.access.ExceptionTranslationFilter] - <Sending AnonymousAuthenticationToken [Principal=anonymousUser, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=127.0.0.1, SessionId=TST-2-****************L0z4rpH-YGPC], Granted Authorities=[ROLE_ANONYMOUS]] to authentication entry point since access is denied> org.springframework.security.authorization.AuthorizationDeniedException: Access Denied at org.springframework.security.web.access.intercept.AuthorizationFilter.doFilter(AuthorizationFilter.java:99) at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:241) at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:228) at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:138) at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:125) at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:119) at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:241) at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:228) at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:138) at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:100) at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:241) at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:228) at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:138) at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:179) at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:241) at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:228) at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:138) at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63) at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:241) at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:228) at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:138) at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilterInternal(BasicAuthenticationFilter.java:181) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:241) at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:228) at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:138) at org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:117) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:241) at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:228) at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:138) at org.springframework.web.filter.CorsFilter.doFilterInternal(CorsFilter.java:91) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:241) at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:228) at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:138) at org.springframework.security.web.context.SecurityContextHolderFilter.doFilter(SecurityContextHolderFilter.java:75) at org.springframework.security.web.context.SecurityContextHolderFilter.doFilter(SecurityContextHolderFilter.java:69) at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:241) at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:228) at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:138) at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:62) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:241) at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:228) at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:138) at org.springframework.security.web.transport.HttpsRedirectFilter.doFilterInternal(HttpsRedirectFilter.java:63) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:241) at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:228) at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:138) at org.springframework.security.web.session.DisableEncodeUrlFilter.doFilterInternal(DisableEncodeUrlFilter.java:42) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:241) at org.springframework.security.web.ObservationFilterChainDecorator$AroundFilterObservation$SimpleAroundFilterObservation.lambda$wrap$0(ObservationFilterChainDecorator.java:334) at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:225) at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:138) at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:233) at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:191) at org.springframework.web.filter.CompositeFilter$VirtualFilterChain.doFilter(CompositeFilter.java:113) at org.springframework.web.filter.ServletRequestPathFilter.doFilter(ServletRequestPathFilter.java:52) at org.springframework.web.filter.CompositeFilter$VirtualFilterChain.doFilter(CompositeFilter.java:113) at org.springframework.web.filter.CompositeFilter.doFilter(CompositeFilter.java:74) at org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration$CompositeFilterChainProxy.doFilter(WebSecurityConfiguration.java:319) at org.springframework.web.filter.CompositeFilter$VirtualFilterChain.doFilter(CompositeFilter.java:113) at org.springframework.web.servlet.handler.HandlerMappingIntrospector.lambda$createCacheFilter$4(HandlerMappingIntrospector.java:267) at org.springframework.web.filter.CompositeFilter$VirtualFilterChain.doFilter(CompositeFilter.java:113) at org.springframework.web.filter.CompositeFilter.doFilter(CompositeFilter.java:74) at org.springframework.security.config.annotation.web.configuration.WebMvcSecurityConfiguration$CompositeFilterChainProxy.doFilter(WebMvcSecurityConfiguration.java:240) at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:362) at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:278) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:109) at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:109) at org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:109) at org.apereo.cas.logging.web.ThreadContextMDCServletFilter.doFilter(ThreadContextMDCServletFilter.java:111) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:109) at org.springframework.web.filter.ServerHttpObservationFilter.doFilterInternal(ServerHttpObservationFilter.java:110) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:109) at org.springframework.security.web.context.SecurityContextHolderFilter.doFilter(SecurityContextHolderFilter.java:82) at org.springframework.security.web.context.SecurityContextHolderFilter.doFilter(SecurityContextHolderFilter.java:69) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:109) at org.apereo.inspektr.common.web.ClientInfoThreadLocalFilter.doFilter(ClientInfoThreadLocalFilter.java:36) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:109) at org.apereo.cas.config.CasEmbeddedContainerTomcatFiltersConfiguration$1.doFilter(CasEmbeddedContainerTomcatFiltersConfiguration.java:101) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:109) at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:109) at org.springframework.session.web.http.SessionRepositoryFilter.doFilterInternal(SessionRepositoryFilter.java:142) at org.springframework.session.web.http.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:82) at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:362) at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:278) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:109) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:167) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:79) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:483) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:116) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:666) at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:719) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:396) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:903) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1780) at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52) at java.base/java.lang.VirtualThread.run(VirtualThread.java:329) 2025-11-04 23:05:27,947 DEBUG [org.springframework.security.web.savedrequest.HttpSessionRequestCache] - <Saved request https://cas.example.com:8443/cas/x?continue to session> 2025-11-04 23:05:27,947 DEBUG [org.springframework.security.web.authentication.DelegatingAuthenticationEntryPoint] - <Trying to match using RequestHeaderRequestMatcher [expectedHeaderName=X-Requested-With, expectedHeaderValue=XMLHttpRequest]> 2025-11-04 23:05:27,947 DEBUG [org.springframework.security.web.authentication.DelegatingAuthenticationEntryPoint] - <No match found. Using default entry point org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint@26a9b38> 2025-11-04 23:05:27,967 TRACE [org.springframework.security.web.FilterChainProxy] - <Trying to match request against DefaultSecurityFilterChain defined as 'casWebSecurityConfigurerAdapter' in [class path resource [org/apereo/cas/config/CasWebSecurityConfiguration$CasWebappCoreSecurityConfiguration.class]] matching [any request] and having filters [DisableEncodeUrl, HttpsRedirect, WebAsyncManagerIntegration, SecurityContextHolder, Cors, Csrf, BasicAuthentication, RequestCacheAware, SecurityContextHolderAwareRequest, AnonymousAuthentication, ExceptionTranslation, Authorization] (1/1)> 2025-11-04 23:05:27,967 DEBUG [org.springframework.security.web.FilterChainProxy] - <Securing GET /error> 2025-11-04 23:05:27,967 TRACE [org.springframework.security.web.FilterChainProxy] - <Invoking DisableEncodeUrlFilter (1/12)> 2025-11-04 23:05:27,967 TRACE [org.springframework.security.web.FilterChainProxy] - <Invoking HttpsRedirectFilter (2/12)> 2025-11-04 23:05:27,967 TRACE [org.springframework.security.web.FilterChainProxy] - <Invoking WebAsyncManagerIntegrationFilter (3/12)> 2025-11-04 23:05:27,967 TRACE [org.springframework.security.web.FilterChainProxy] - <Invoking SecurityContextHolderFilter (4/12)> 2025-11-04 23:05:27,967 TRACE [org.springframework.security.web.FilterChainProxy] - <Invoking CorsFilter (5/12)> 2025-11-04 23:05:27,967 TRACE [org.springframework.security.web.FilterChainProxy] - <Invoking CsrfFilter (6/12)> 2025-11-04 23:05:27,967 TRACE [org.springframework.security.web.FilterChainProxy] - <Invoking BasicAuthenticationFilter (7/12)> 2025-11-04 23:05:27,968 TRACE [org.springframework.security.web.FilterChainProxy] - <Invoking RequestCacheAwareFilter (8/12)> 2025-11-04 23:05:27,968 TRACE [org.springframework.security.web.savedrequest.HttpSessionRequestCache] - <matchingRequestParameterName is required for getMatchingRequest to lookup a value, but not provided> 2025-11-04 23:05:27,968 TRACE [org.springframework.security.web.FilterChainProxy] - <Invoking SecurityContextHolderAwareRequestFilter (9/12)> 2025-11-04 23:05:27,968 TRACE [org.springframework.security.web.FilterChainProxy] - <Invoking AnonymousAuthenticationFilter (10/12)> 2025-11-04 23:05:27,968 TRACE [org.springframework.security.web.FilterChainProxy] - <Invoking ExceptionTranslationFilter (11/12)> 2025-11-04 23:05:27,968 TRACE [org.springframework.security.web.FilterChainProxy] - <Invoking AuthorizationFilter (12/12)> 2025-11-04 23:05:27,968 TRACE [org.springframework.security.web.access.intercept.RequestMatcherDelegatingAuthorizationManager] - <Authorizing GET /error> 2025-11-04 23:05:27,968 TRACE [org.springframework.security.web.access.intercept.RequestMatcherDelegatingAuthorizationManager] - <Checking authorization on GET /error using org.springframework.security.authorization.SingleResultAuthorizationManager@609468ba> 2025-11-04 23:05:27,968 DEBUG [org.springframework.security.web.FilterChainProxy] - <Secured GET /error> 2025-11-04 23:05:28,045 TRACE [org.springframework.security.web.context.SupplierDeferredSecurityContext] - <Created SecurityContextImpl [Null authentication]> 2025-11-04 23:05:28,045 TRACE [org.springframework.security.web.context.HttpSessionSecurityContextRepository] - <Did not find SecurityContext in HttpSession TST-2-****************L0z4rpH-YGPC using the SPRING_SECURITY_CONTEXT session attribute> 2025-11-04 23:05:28,045 TRACE [org.springframework.security.web.context.SupplierDeferredSecurityContext] - <Created SecurityContextImpl [Null authentication]> 2025-11-04 23:05:28,045 TRACE [org.springframework.security.web.authentication.AnonymousAuthenticationFilter] - <Set SecurityContextHolder to AnonymousAuthenticationToken [Principal=anonymousUser, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=127.0.0.1, SessionId=TST-2-****************L0z4rpH-*******], Granted Authorities=[ROLE_ANONYMOUS]]> After the configuration: 2025-11-04 22:57:48,622 TRACE [org.springframework.security.web.FilterChainProxy] - <Trying to match request against DefaultSecurityFilterChain defined as 'casWebSecurityConfigurerAdapter' in [class path resource [org/apereo/cas/config/CasWebSecurityConfiguration$CasWebappCoreSecurityConfiguration.class]] matching [any request] and having filters [DisableEncodeUrl, HttpsRedirect, WebAsyncManagerIntegration, SecurityContextHolder, Cors, Csrf, BasicAuthentication, RequestCacheAware, SecurityContextHolderAwareRequest, AnonymousAuthentication, ExceptionTranslation, Authorization] (1/1)> 2025-11-04 22:57:48,622 DEBUG [org.springframework.security.web.FilterChainProxy] - <Securing GET /x> 2025-11-04 22:57:48,622 TRACE [org.springframework.security.web.FilterChainProxy] - <Invoking DisableEncodeUrlFilter (1/12)> 2025-11-04 22:57:48,622 TRACE [org.springframework.security.web.FilterChainProxy] - <Invoking HttpsRedirectFilter (2/12)> 2025-11-04 22:57:48,622 TRACE [org.springframework.security.web.FilterChainProxy] - <Invoking WebAsyncManagerIntegrationFilter (3/12)> 2025-11-04 22:57:48,622 TRACE [org.springframework.security.web.FilterChainProxy] - <Invoking SecurityContextHolderFilter (4/12)> 2025-11-04 22:57:48,622 TRACE [org.springframework.security.web.FilterChainProxy] - <Invoking CorsFilter (5/12)> 2025-11-04 22:57:48,622 TRACE [org.springframework.security.web.FilterChainProxy] - <Invoking CsrfFilter (6/12)> 2025-11-04 22:57:48,622 TRACE [org.springframework.security.web.csrf.CsrfTokenRequestAttributeHandler] - <Wrote a CSRF token to the following request attributes: [_csrf, org.springframework.security.web.csrf.CsrfToken]> 2025-11-04 22:57:48,622 TRACE [org.springframework.security.web.csrf.CsrfFilter] - <Did not protect against CSRF since request did not match And [PathPattern [/webauthn/**], Not [Or [org.apereo.cas.config.WebAuthnConfiguration$WebAuthnRepositoryConfiguration$WebAuthnSecurityConfiguration$1$$Lambda/0x00007f47a12155d0@7cb1e82b]]]> 2025-11-04 22:57:48,622 TRACE [org.springframework.security.web.FilterChainProxy] - <Invoking BasicAuthenticationFilter (7/12)> 2025-11-04 22:57:48,622 TRACE [org.springframework.security.web.authentication.www.BasicAuthenticationFilter] - <Did not process authentication request since failed to find username and password in Basic Authorization header> 2025-11-04 22:57:48,622 TRACE [org.springframework.security.web.FilterChainProxy] - <Invoking RequestCacheAwareFilter (8/12)> 2025-11-04 22:57:48,622 TRACE [org.springframework.security.web.savedrequest.HttpSessionRequestCache] - <matchingRequestParameterName is required for getMatchingRequest to lookup a value, but not provided> 2025-11-04 22:57:48,622 TRACE [org.springframework.security.web.FilterChainProxy] - <Invoking SecurityContextHolderAwareRequestFilter (9/12)> 2025-11-04 22:57:48,623 TRACE [org.springframework.security.web.FilterChainProxy] - <Invoking AnonymousAuthenticationFilter (10/12)> 2025-11-04 22:57:48,623 TRACE [org.springframework.security.web.FilterChainProxy] - <Invoking ExceptionTranslationFilter (11/12)> 2025-11-04 22:57:48,623 TRACE [org.springframework.security.web.FilterChainProxy] - <Invoking AuthorizationFilter (12/12)> 2025-11-04 22:57:48,623 TRACE [org.springframework.security.web.access.intercept.RequestMatcherDelegatingAuthorizationManager] - <Authorizing GET /x> 2025-11-04 22:57:48,623 TRACE [org.springframework.security.web.access.intercept.RequestMatcherDelegatingAuthorizationManager] - <Checking authorization on GET /x using org.springframework.security.authorization.SingleResultAuthorizationManager@c9066e6> 2025-11-04 22:57:48,623 DEBUG [org.springframework.security.web.FilterChainProxy] - <Secured GET /x> 2025-11-04 22:57:48,630 TRACE [org.springframework.security.web.context.SupplierDeferredSecurityContext] - <Created SecurityContextImpl [Null authentication]> 2025-11-04 22:57:48,631 TRACE [org.springframework.security.web.context.HttpSessionSecurityContextRepository] - <No HttpSession currently exists> 2025-11-04 22:57:48,631 TRACE [org.springframework.security.web.context.SupplierDeferredSecurityContext] - <Created SecurityContextImpl [Null authentication]> 2025-11-04 22:57:48,631 TRACE [org.springframework.security.web.authentication.AnonymousAuthenticationFilter] - <Set SecurityContextHolder to AnonymousAuthenticationToken [Principal=anonymousUser, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=127.0.0.1, SessionId=null], Granted Authorities=[ROLE_ANONYMOUS]]> YG 4 Kasım 2025 Salı tarihinde saat 22:44:08 UTC+3 itibarıyla Ronnie otts şunları yazdı: > This is my config for actuators and spring. > > > cas: > > ... > monitor: > > endpoints: > endpoint: > defaults: > access: ANONYMOUS > info: > access: ANONYMOUS > > > management: > endpoints: > web: > base-path: /actuators > exposure: > include: > - health > - info > - status > endpoint: > health: > access: UNRESTRICTED > info: > access: UNRESTRICTED > status: > access: UNRESTRICTED > metrics: > access: UNRESTRICTED > > spring: > aop: > proxy-target-class: true > autoconfigure: > exclude: > - > org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration > boot: > admin: > server: > enabled: false > main: > allow-bean-definition-overriding: true > security: > ignored-paths: /error,/favicon.ico,/robots.txt > > > Ronnie Otts > Enterprise Engineer II > University of West Florida > 850.474.3123 <(850)%20474-3123> > > > On Sat, Nov 1, 2025 at 6:03 AM Y G <[email protected]> wrote: > >> Hello, is it because actuator is set up, or in 404 requests, is CAS >> configured by default for these other urls as authenticated(i'm talking >> about Spring Security Configs)? >> >> 1 Kasım 2025 Cumartesi tarihinde saat 05:33:38 UTC+3 itibarıyla rotts >> şunları yazdı: >> >>> When browsing to a URL that should return a 404 page, the browser >>> instead prompts for basic authentication. >>> >>> For example, accessing /cas/x prompts the user for credentials with a >>> basic auth dialog, not the normal login page. >>> >>> I’d like to have users directed to a standard 404 page instead. >>> >> -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/db100997-c172-47cc-9425-b9d830760ed5n%40apereo.org.
