P E N C I L
Login
HttpSecurity

Example:

http
			.antMatchers("/resourceA/**", "/resourceB/**")
			.authorizeRequests()
				.antMatchers("/resourceA/**").hasAuthority("#oauth2.hasScope('resourceA:read')")
				.antMatchers("/resourceB/**").hasAuthority("#oauth2.hasScope('resourceB:read')")
				.anyRequest().authenticated();

httpSecurity.authorizedquest() => urlMatcher

urlMatcher.antMatcher("/resourceA/**). authentiated()

.anyRequest().authenticated()

Basic:

.authenticated(), permitAll(), fullyAuthenticated() actually just set the expression (string) which is handled by expressionHandler. Oauth has it's own expression handler

It does not really execute / exclude the filter. Ex: if token is invalid, and url has permitAll(), the filter is executed and token is still checked.