Spring security - allowing anonymous access

java spring spring-security spring-boot spring-security-oauth2

NRJ · Jul 20, 2015 · Viewed 13.7k times · Source

I have implemented Oauth2 in my spring-boot app. In my security-context.xml, I have these lines -

<sec:intercept-url pattern="/trusted/**" access="isAnonymous()" />
<sec:intercept-url pattern="/**" access="isFullyAuthenticated()" />

I want everything under /trusted to be available without authentication. However, I am still prompted for authentication when I try to access /trusted resources (theses are RESTful resources).

Did I miss something else ?

[Edit:] I am running this app with a 'provided' tomcat instance.

Answer

You just need to replace the trusted intercept expression access attribute and it should work:

<sec:intercept-url pattern="/trusted/**" filters="none" />
<sec:intercept-url pattern="/**" access="isFullyAuthenticated()" />

Though since Spring Security 3.1 has deprecated filters, you ought to use http tags to achieve the same effect:

<http pattern="/trusted/**" security="none"/>

<http auto-config='true'>
  <intercept-url pattern="/**" access="isFullyAuthenticated()" />
  <form-login login-page='/login.jsp'/>
</http>

You can read more about this here.

Spring security - allowing anonymous access

Answer

Related questions