do not authorize requests that get dispatched async

With spring-projects/spring-security#11107
the default to filter all dispatcher types was changed to true.

Author: erikpetzold

spring-boot-admin-samples/spring-boot-admin-sample-servlet/src/main/java/de/codecentric/boot/admin/SecuritySecureConfig.java

@@ -18,6 +18,8 @@
 
 import java.util.UUID;
 
+import jakarta.servlet.DispatcherType;
+
 import org.springframework.boot.autoconfigure.security.SecurityProperties;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
@@ -60,8 +62,9 @@ protected SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 				.requestMatchers(new AntPathRequestMatcher(this.adminServer.path("/variables.css"))).permitAll()
 				.requestMatchers(new AntPathRequestMatcher(this.adminServer.path("/actuator/info"))).permitAll()
 				.requestMatchers(new AntPathRequestMatcher(this.adminServer.path("/actuator/health"))).permitAll()
-				.requestMatchers(new AntPathRequestMatcher(this.adminServer.path("/login"))).permitAll().anyRequest()
-				.authenticated() // <2>
+				.requestMatchers(new AntPathRequestMatcher(this.adminServer.path("/login"))).permitAll()
+				.dispatcherTypeMatchers(DispatcherType.ASYNC).permitAll()
+				.anyRequest().authenticated() // <2>
 		).formLogin(
 				(formLogin) -> formLogin.loginPage(this.adminServer.path("/login")).successHandler(successHandler).and() // <3>
 		).logout((logout) -> logout.logoutUrl(this.adminServer.path("/logout"))).httpBasic(Customizer.withDefaults()) // <4>