I am new to spring security and in my project I found below scenario happening .
We are using spring security to authenticate user . And for every request we are authenticating using Cookie .If cookie presents then process the request . And CSRF protection is also implemented .
I feel only spring controller request should be authenticated , when i see my application . It is authenticating every css, js, jsp import . Is that approach correct.
I know I briefly described the problem , Try to understand and reply