Spring Security 3.0 - Intercept-URL - All pages require authentication but one

Question

I want any user to be able to submit their name to a volunteer form but only administrators to be able to view any other URL. Unfortunately I don't seem to be able to get this correct. My resources.xml are as follows;

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">
    <http realm = "BumBumTrain Personnel list requires you to login" auto-config="true" use-expressions="true">
        <http-basic/>
        <intercept-url pattern="/person/volunteer*" access=""/>
        <intercept-url pattern="/**" access="isAuthenticated()" />
    </http>

    <authentication-manager alias="authenticationManager">
        <authentication-provider>
            <user-service>
                <user name="admin" password="admin" authorities="ROLE_ADMIN"/>
            </user-service>
        </authentication-provider>
    </authentication-manager>
</beans:beans>

Specifically I am trying to achieve the access settings I described via;

    <intercept-url pattern="/person/volunteer*" access=""/>
    <intercept-url pattern="/**" access="isAuthenticated()" />

Could someone please describe how to use intercept-url to achieve the outcome I've described?

Thanks

Gav

---

For whatever reason in a grails app I needed;

        <intercept-url pattern="/person/volunteer/**" access="" filters="none"/>
    <intercept-url pattern="/images/**" access="" filters="none"/>
    <intercept-url pattern="/css/**" access="" filters="none"/>
    <intercept-url pattern="/js/**" access="" filters="none"/>
    <intercept-url pattern="/**" access="ROLE_ADMIN" />

To get this to work, note the difference in the first rule.

Answer 1

What exactly does not work as you expect? what goes wrong?

I think access="" does not what you expect... Use the format from the docs:

<intercept-url pattern="/login.jsp*" filters="none"/>

If you don't use the default authentication (which you do) you would need to add a WebExpressionVoter because you use expressions expressions doc

Answer 2

Hi replace access="" with access="permitAll" for the url you want to make accessile without authentication.