Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Spring security - allowing anonymous access

I have implemented Oauth2 in my spring-boot app. In my security-context.xml, I have these lines -

<sec:intercept-url pattern="/trusted/**" access="isAnonymous()" />
<sec:intercept-url pattern="/**" access="isFullyAuthenticated()" />

I want everything under /trusted to be available without authentication. However, I am still prompted for authentication when I try to access /trusted resources (theses are RESTful resources).

Did I miss something else ?

[Edit:] I am running this app with a 'provided' tomcat instance.

like image 401
NRJ Avatar asked Jul 19 '15 23:07

NRJ


2 Answers

You just need to replace the trusted intercept expression access attribute and it should work:

<sec:intercept-url pattern="/trusted/**" filters="none" />
<sec:intercept-url pattern="/**" access="isFullyAuthenticated()" />

Though since Spring Security 3.1 has deprecated filters, you ought to use http tags to achieve the same effect:

<http pattern="/trusted/**" security="none"/>

<http auto-config='true'>
  <intercept-url pattern="/**" access="isFullyAuthenticated()" />
  <form-login login-page='/login.jsp'/>
</http>

You can read more about this here.

like image 198
Daniel Cottone Avatar answered Nov 08 '22 09:11

Daniel Cottone


<http>
<intercept-url pattern="/trusted/**" access="ROLE_USER,ROLE_GUEST" />
<intercept-url pattern="/messagePost.htm*" access="ROLE_USER" />
<intercept-url pattern="/messageDelete.htm*" access="ROLE_ADMIN" />
<anonymous username="guest" granted-authority="ROLE_GUEST" />
<remember-me />
</http>

<anonymous username="guest" granted-authority="ROLE_GUEST" />

You can define a role like ROLE_GUEST and mention like what the above code does. Any anonymous member can access the url pattern under ROLE_GUEST

like image 2
MS Ibrahim Avatar answered Nov 08 '22 10:11

MS Ibrahim