Collectives™ on Stack Overflow
Find centralized, trusted content and collaborate around the technologies you use most.
Learn more about Collectives
Teams
Q&A for work
Connect and share knowledge within a single location that is structured and easy to search.
Learn more about Teams
I have a single method that I want to allow both anonymous and authenticated access to.
I am using Spring Security 3.2.4 with Java based configuration.
The overridden configure method (in my custom configuration class extending
WebSecurityConfigurerAdapter
) has the following
http
block:
.addFilterBefore(muiltpartFilter, ChannelProcessingFilter.class)
.addFilterBefore(cf, ChannelProcessingFilter.class)
.authorizeRequests()
.anyRequest()
.authenticated()
.and()
.authorizeRequests()
.antMatchers("/ping**")
.permitAll()
.and()
.formLogin()
.loginPage("/login")
.permitAll()
.and()
.logout()
.logoutUrl("/logout")
.logoutSuccessUrl("/login");
The ping request handler and method is in a controller that also contains the login handler, and it has no separate
@PreAuthorize
or other annotations that might cause the issue.
The problem is that anonymous access is denied and the user is redirected to the login page.
Logging at the debug level, I see the following feedback from Spring Security:
[2014-07-11 13:18:04,483] [DEBUG] [org.springframework.security.web.access.intercept.FilterSecurityInterceptor] Secure object: FilterInvocation: URL: /ping; Attributes: [authenticated]
[2014-07-11 13:18:04,483] [DEBUG] [org.springframework.security.web.access.intercept.FilterSecurityInterceptor] Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@6faad796: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@ffffa64e: RemoteIpAddress: 192.168.2.128; SessionId: 0EF6B13BBA5F00C020FF9C35A6E3FBA9; Granted Authorities: ROLE_ANONYMOUS
[2014-07-11 13:18:04,483] [DEBUG] [org.springframework.security.access.vote.AffirmativeBased] Voter: org.springframework.security.web.access.expression.WebExpressionVoter@123f2882, returned: -1
[2014-07-11 13:18:04,483] [DEBUG] [org.springframework.security.web.access.ExceptionTranslationFilter] Access is denied (user is anonymous); redirecting to authentication entry point
What I'm trying to accomplish is to have a method that can be called at any point and which will send a reply indicating whether or not the request is inside a logged-in session.
–
–
–
The permission order is important, it works when I configure it like this:
.authorizeRequests()
.antMatchers("/ping**")
.permitAll()
.and()
.authorizeRequests()
.anyRequest()
.authenticated()
.and()
I saw the same issue. Make sure you didn't call
super.configure(http);
anyRequest().authenticated();
is called by default.
Need to add .anonymous()
.addFilterBefore(muiltpartFilter, ChannelProcessingFilter.class)
.addFilterBefore(cf, ChannelProcessingFilter.class)
.anonymous().and()
.authorizeRequests().anyRequest().authenticated().and()
.authorizeRequests()
.antMatchers("/ping**")
.permitAll()
.and()
.formLogin()
.loginPage("/login")
.permitAll()
.and()
.logout()
.logoutUrl("/logout")
.logoutSuccessUrl("/login");
Referred from: https://stackoverflow.com/a/25280897/256245
–
–
I was struggling with this a problem for a day. What I had to do in the end is to remove the @Component
annotation from my filter, and instantiate it manually, as described in this answer.
So for the original question this would look something like:
.addFilterBefore(new MultiPartFilter(), ChannelProcessingFilter.class)
.addFilterBefore(new OtherFilter(), ChannelProcessingFilter.class)
.authorizeRequests() // ... rest omitted for brevity
I also had to remove these endpoints from spring security altogether by overriding configure(WebSecurity web)
as described in J. Perez's answer:
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/ping**");
I wasn't able to POST to a permitAll() url. After that, I found that the reason is due to CSRF enabled. SO I disable it by:
http.....and().csrf().disable();
P.S: it's not a good idea to disable it, I will have to figure out how to POST with CSRF in the future.
@Override
public void configure(HttpSecurity http) throws Exception {
http.anonymous().and()...;
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().mvcMatchers("/ping**");
This occurred to me due to that I'm setting the blank token API request, I had to remove this from my angular
if (token) {
newHeaders = newHeaders.append('Authorization', 'Bearer' + ' ' + token);
Here the token is empty
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.