Confusion around Spring Security anonymous access using Java Config

I am using the following Java Config with Spring Security:

protected void configure(HttpSecurity http) throws Exception {
    http
        .authorizeRequests()
            .anyRequest().authenticated()
            .and()
        .httpBasic();
}

Based on this configuration, all requests are authenticated. When you hit a controller without being authenticated, the AnonymousAuthenticationFilter will create an Authentication object for you with username=anonymousUser, role=ROLE_ANONYMOUS.

I am trying to provide anonymous access to a a specific controller method and have tried to use each of the following:

1. @Secured("ROLE_ANONYMOUS")
2. @Secured("IS_AUTHENTICATED_ANONYMOUSLY")

When the controller methods get invoked, the following response is given: "HTTP Status 401 - Full authentication is required to access this resource"

Can someone help me understand why we are receiving this message and why ROLE_ANONYMOUS/IS_AUTHENTICATED_ANONYMOUSLY don't seem to work using this configuration?

Thanks,
JP

Hmm... this is where I lack clarity. If I make a call to a given url using the java config I specified earlier, if I haven't provided credentials using basic auth, the AnonymousAuthenticationFilter steps in and creates an authentication object, but with ROLE_ANONYMOUS. Shouldn't this still work? I don't know that the configuration you have above should be necessary. Thoughts?

It is necessary because ROLE_ANONYMOUS indicates the user is anonymous and NOT authenticated. Note that the annotations you have specified on the controller do not override the URL based security, they supplement it to provide defense in depth (i.e. multiple layers of security).

Rob, I think my confusion stems from thinking that using @Secured("ROLE_ANONYMOUS") on a controller method with a specific @RequestMapping(value="/mycontroller") mapping annotation defined was the annotation "equivalent" of saying: .antMatchers("/mycontroller").permitAll() or perhaps .antMatchers("/mycontroller").hasRole("ROLE_ANONYMOUS"). Based on what you are saying, annotation configuration is not a substitute for the xml/java config (like how @RequestMapping is a substitute for xml controller mappings). Is this correct?

@user2145809 yes - the antMatchers apply in the security filter chain - so as you have configured your security chain to authenticate all requests, this catches the anonymous request and rejects it, before it gets to the controller. However, inversely if you say permitAll() in the security chain and then define a secured annotation ROLE_ADMIN, that would secure the page - the request would get through the security filter chain, but then at the controller servlet level fail authentication. As Rob Winch said - multiple layers of security

I have tried the above its not working as expected I am using httpSecurity object