Set one method to be not secured Spring Security

Question

I have a controller which is secured in general, but I wan't to secure the whole controller except one method

@RestController
@RequestMapping(value = "/api/")
@Secured("ROLE_ADMIN")
public class RestApiController {
    @Autowired CategoryService categoryService;
    @Autowired BrandService brandService;

    @RequestMapping(value = "category/{id}")
    public Category category(@PathVariable("id") Integer id){
        return categoryService.getById(id);
    }

    @RequestMapping(value = "brand/{id}")
    public Brand brand(@PathVariable("id") Integer id){
        return brandService.getById(id);
    }

    @RequestMapping(value = "login")
    public String login(){
        return "";
    }
}

What I need is to set login to be available for everyone also users that are not logged in, is it possible to make?

Otherwise I must set it on every method, this would be very annoying, this controller will get around 70 methods implemented and I only need the method login to be accessible for everyone.

I'm using Spring MVC and Spring Security in version 4.0.0

Thanks to Sarfaraz: The XML worked, the other solution not

Answer 1

One way of doing is to configure you http security in xml. Following is one sample

<security:http auto-config="true" use-expressions="true">
    <security:intercept-url pattern="/" access="hasRole('ROLE_USER')" />
    <security:intercept-url pattern="/api/login" access="permitAll" />
</security:http>

One other thing you can try is put secured annotation with permitAll but I'm not very sure about this the xml config works for me.

 @Secured("permitAll")
 @RequestMapping(value = "login")
    public String login(){
        return "";
    }