为什么permitAll（）不起作用，并要求在请求中提供认证对象？

@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

@Autowired 
private CustomUserDetailService userDetailsService; 

@Bean 
public PasswordEncoder passwordEncoder() { 
 return new StandardPasswordEncoder(); 
} 

@Override 
protected void configure(AuthenticationManagerBuilder auth) 
 throws Exception { 
 auth.authenticationProvider(authenticationProvider()); 
} 

@Bean 
public DaoAuthenticationProvider authenticationProvider() { 
 DaoAuthenticationProvider authProvider 
  = new DaoAuthenticationProvider(); 
 authProvider.setUserDetailsService(userDetailsService); 
 authProvider.setPasswordEncoder(encoder()); 
 return authProvider; 
} 

@Bean 
public ShaPasswordEncoder encoder() { 
 return new ShaPasswordEncoder(256); 
} 

@Override 
public void configure(WebSecurity web) throws Exception {} 

@Override 
protected void configure(HttpSecurity http) throws Exception { 
 http.csrf().disable(); 

} 

@Override 
@Bean 
public AuthenticationManager authenticationManagerBean() throws Exception { 
 return super.authenticationManagerBean(); 
} 

@EnableGlobalMethodSecurity(prePostEnabled = true, jsr250Enabled = true) 
private static class GlobalSecurityConfiguration extends GlobalMethodSecurityConfiguration { 

 public GlobalSecurityConfiguration() { 
 } 
 @Override 
 protected MethodSecurityExpressionHandler createExpressionHandler() { 
  return new OAuth2MethodSecurityExpressionHandler(); 
 } 

} 

}
当我在做邮递员http://localhost:8889/secure?lang=en电话，我得到错误：

{
“error”: “unauthorized”,
“error_description”: “An Authentication object was not found in the SecurityContext”
}
我已经配置/secure端点permitAll()，所以它不应该要求通过访问令牌。为什么permitAll（）在这种情况下不起作用？

我也尝试通过允许所有请求，但它也没有工作，并面对同样的错误作出回应。

@Override
public void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().anyRequest().permitAll();

认证和授权是两回事。 'permitAll’适用于授权。您仍然需要进行身份验证。