Spring security - allowing anonymous access
Solution 1
You just need to replace the trusted intercept expression access attribute and it should work:
<sec:intercept-url pattern="/trusted/**" filters="none" />
<sec:intercept-url pattern="/**" access="isFullyAuthenticated()" />
Though since Spring Security 3.1 has deprecated filters, you ought to use http tags to achieve the same effect:
<http pattern="/trusted/**" security="none"/>
<http auto-config='true'>
<intercept-url pattern="/**" access="isFullyAuthenticated()" />
<form-login login-page='/login.jsp'/>
</http>
You can read more about this here.
Solution 2
<http>
<intercept-url pattern="/trusted/**" access="ROLE_USER,ROLE_GUEST" />
<intercept-url pattern="/messagePost.htm*" access="ROLE_USER" />
<intercept-url pattern="/messageDelete.htm*" access="ROLE_ADMIN" />
<anonymous username="guest" granted-authority="ROLE_GUEST" />
<remember-me />
</http>
<anonymous username="guest" granted-authority="ROLE_GUEST" />
You can define a role like ROLE_GUEST and mention like what the above code does. Any anonymous member can access the url pattern under ROLE_GUEST
Comments
-
NRJ almost 2 years
I have implemented Oauth2 in my spring-boot app. In my security-context.xml, I have these lines -
<sec:intercept-url pattern="/trusted/**" access="isAnonymous()" /> <sec:intercept-url pattern="/**" access="isFullyAuthenticated()" />I want everything under /trusted to be available without authentication. However, I am still prompted for authentication when I try to access /trusted resources (theses are RESTful resources).
Did I miss something else ?
[Edit:] I am running this app with a 'provided' tomcat instance.