Menu
Here is a part from Spring Security petclinic example:
<http use-expressions="true">
<intercept-url pattern="/" access="permitAll"/>
<intercept-url pattern="/static/**" filters="none" />
<intercept-url pattern="/**" access="isAuthenticated()" />
<form-login />
<logout />
</http>
What is the difference between access="permitAll" and filters="none"?
Url: http://static.springsource.org/spring-security/site/petclinic-tutorial.html
577
Annotation Type PermitAllSpecifies that all security roles are allowed to invoke the specified method(s) — i.e., that the specified method(s) are "unchecked". It can be specified on a class or on methods. Specifying it on the class means that it applies to all methods of the class.
The @EnableWebSecurity is a marker annotation. It allows Spring to find (it's a @Configuration and, therefore, @Component ) and automatically apply the class to the global WebSecurity . If I don't annotate any of my class with @EnableWebSecurity still the application prompting for username and password.
addFilterBefore(filter, class) adds a filter before the position of the specified filter class. addFilterAfter(filter, class) adds a filter after the position of the specified filter class.
The difference is that filters = "none" disables Spring Security filters for the specified URLs, whereas access = "permitAll" configures authorization without disabling filters.
In practice, filters = "none" may cause problems when resources behind it require some functionality of Spring Security. For example, you can't use it for user registration page that performs programmatic login on submit (User Granted Authorities are always : ROLE_ANONYMOUS?).
67
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
