intercept-url pattern /** causing 404 error

Question

I have searched here, google and springsource for this and could not find a solution that worked for me. I have the below spring-security.xml and when I use the pattern

<intercept-url pattern="/**" access="hasRole('ROLE_USER')" />

This gives me a 404 error when it redirects to the login page. But this does not happen if I use

<intercept-url pattern="/index*" access="hasRole('ROLE_USER')" />

But obviously this does not secure the rest of the app.

I'm sure this is something simple I am overlooking but the closest thing I could find was this stack overflow question, Which I have already incorperated in my xml file below but still have the same issue. I have tried this without use-expressions="true" and I have tried switching the intercept-url's around (I'm not 100% but I am fairly sure that the /** pattern should be the last one as I believe urls are matched in the same order as declared)

Any advice/help would be great

spring-security.xml

<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
    http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
    http://www.springframework.org/schema/security
    http://www.springframework.org/schema/security/spring-security-3.0.3.xsd">

    <http auto-config="true" use-expressions="true">
        <intercept-url pattern="/login" filters="none" access="permitAll" />
        <intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
        <form-login login-page="/login" default-target-url="/welcome"
            authentication-failure-url="/loginfailed" />
        <logout logout-success-url="/logout" />
    </http>

    <authentication-manager>
      <authentication-provider>
        <user-service>
            <user name="username" password="password" authorities="ROLE_USER" />
        </user-service>
      </authentication-provider>
    </authentication-manager>

</beans:beans>

Update

Just in case it is a factor I'm using Spring and Spring security 3.0.4.RELEASE

Answer

Following Kris's advice I changed

<intercept-url pattern="/login" filters="none" access="permitAll" />

to:

<intercept-url pattern="/login" access="IS_AUTHENTICATED_ANONYMOUSLY" />

This caused a 500 Error due to the exception

    SpelEvaluationException: EL1008E:(pos 0): Field or property
     'IS_AUTHENTICATED_ANONYMOUSLY' cannot be found on object of 
type'org.springframework.security.web.access.expression.WebSecurityExpressionRoot

I solved this by changing the IS_AUTHENTICATED_ANONYMOUSLY to isAnonymous()

<intercept-url pattern="/login" access="isAnonymous()" />

Answer 1

For completeness, here's the real reason this requires a change to isAnonymous().

The <http> element has an attribute use-expressions which defaults to true. In the default situation, you are required then to use "security expressions" instead of role names. If you wish to use only role names in access= declarations, you need to turn off expressions with

<http use-expressions="false"> ... </http>

Answer 2

Adds an AnonymousAuthenticationFilter to the stack and an AnonymousAuthenticationProvider. Required if you are using the IS_AUTHENTICATED_ANONYMOUSLY attribute. spring secuirty

or use isAnonymous() instead.

Answer 3

Change this <intercept-url pattern="/login" filters="none" access="permitAll" />

to

<intercept-url pattern="/login" access="IS_AUTHENTICATED_ANONYMOUSLY" />

Answer 4

The config looks fine to me. Could it be that the /login page is actually not there? The second config (with /index*) might have only worked, because then the request you made wasn't intercepted, and consequently didn't get redericted to the non-existent /login page. If it was a problem with the config, Spring Security would respond with 403 not 404.

Double-check without any Spring Security configured if the /login url works.