I have a single method that I want to allow both anonymous and authenticated access to.
I am using Spring Security 3.2.4 with Java based configuration.
The overridden configure method (in my custom configuration class extending WebSecurityConfigurerAdapter
) has the following http
block:
http
.addFilterBefore(muiltpartFilter, ChannelProcessingFilter.class)
.addFilterBefore(cf, ChannelProcessingFilter.class)
.authorizeRequests()
.anyRequest()
.authenticated()
.and()
.authorizeRequests()
.antMatchers("/ping**")
.permitAll()
.and()
.formLogin()
.loginPage("/login")
.permitAll()
.and()
.logout()
.logoutUrl("/logout")
.logoutSuccessUrl("/login");
The ping request handler and method is in a controller that also contains the login handler, and it has no separate @PreAuthorize
or other annotations that might cause the issue.
The problem is that anonymous access is denied and the user is redirected to the login page.
Logging at the debug level, I see the following feedback from Spring Security:
[2014-07-11 13:18:04,483] [DEBUG] [org.springframework.security.web.access.intercept.FilterSecurityInterceptor] Secure object: FilterInvocation: URL: /ping; Attributes: [authenticated]
[2014-07-11 13:18:04,483] [DEBUG] [org.springframework.security.web.access.intercept.FilterSecurityInterceptor] Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@6faad796: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@ffffa64e: RemoteIpAddress: 192.168.2.128; SessionId: 0EF6B13BBA5F00C020FF9C35A6E3FBA9; Granted Authorities: ROLE_ANONYMOUS
[2014-07-11 13:18:04,483] [DEBUG] [org.springframework.security.access.vote.AffirmativeBased] Voter: org.springframework.security.web.access.expression.WebExpressionVoter@123f2882, returned: -1
[2014-07-11 13:18:04,483] [DEBUG] [org.springframework.security.web.access.ExceptionTranslationFilter] Access is denied (user is anonymous); redirecting to authentication entry point
What I'm trying to accomplish is to have a method that can be called at any point and which will send a reply indicating whether or not the request is inside a logged-in session.
The permission order is important, it works when I configure it like this:
.authorizeRequests()
.antMatchers("/ping**")
.permitAll()
.and()
.authorizeRequests()
.anyRequest()
.authenticated()
.and()
I saw the same issue. Make sure you didn't callsuper.configure(http);
anyRequest().authenticated();
is called by default.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With