Menu
I have a controller that has many actions and it specifies a default class-level @PreAuthorize annotation, but one of the actions I want to let anyone in (the "show" action).
@RequestMapping("/show/{pressReleaseId}")
@PreAuthorize("permitAll")
public ModelAndView show(@PathVariable long pressReleaseId) {
ModelAndView modelAndView = new ModelAndView(view("show"));
modelAndView.addObject("pressRelease",
sysAdminService.findPressRelease(pressReleaseId));
return modelAndView;
}
Unfortunately, Spring Security throws this exception:
org.springframework.security.authentication.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.credentialsNotFound(AbstractSecurityInterceptor.java:321)
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:195)
at org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:64)
How can I get Spring Security to NOT throw this exception? I just want to let anyone in - non-authenticated users and authenticated users - Everyone.
My only solution is to put this method into another controller altogether with no @PreAuthorize at all... which will work, but that's stupid. I want to keep all my press release actions in the same controller.
Thanks for the help!
309
Spring security exceptions can be directly handled by adding custom filters and constructing the response body. To handle these exceptions at a global level via @ExceptionHandler and @ControllerAdvice, we need a custom implementation of AuthenticationEntryPoint.
Run the app using: ./gradlew bootRun . Navigate to the home endpoint, which is open: http://localhost:8080 . And the restricted endpoint, which requires authentication: http://localhost:8080/restricted . When Spring's login form appears, don't forget you can use the default credentials.
enabled=false and management. security. enabled=false should be set to disable the security.
I guess you don't have anonymouse authentication filter enabled.
If you use namespace configuration and auto-config = "true", it should be enabled by default. If you don't use auto-config, you can enable anonymous filter as <security:anonymous />.
76
The normal way to allow anyone to access a controller method is to not annotate it with any Spring Security annotations; ie no @PreAuthorize no @Secured etc.
You should be able to simply remove @PreAuthorize from the show() method, any leave the annotation on the other methods in that controller. The other methods will remain secured regardless of what you do with the show() method.
45
The default changed with a newer version (version 2) of the spring security plugin. That means all controllers are secured by default (you need to login to see them). Removing @Secured will not work at all, it will still stay secured. You can change this default behaviour, but to me the new default behaviour makes sense because it is much more secure. And security is very important.
I only use
@Secured(['permitAll'])
for my controller, but it should also work for a method.
36
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
