Reputation: 581
Confusion around Spring Security anonymous access using Java Config
I am using the following Java Config with Spring Security:
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest().authenticated()
.and()
.httpBasic();
}
Based on this configuration, all requests are authenticated. When you hit a controller without being authenticated, the AnonymousAuthenticationFilter will create an Authentication object for you with username=anonymousUser, role=ROLE_ANONYMOUS.
I am trying to provide anonymous access to a a specific controller method and have tried to use each of the following:
@Secured("ROLE_ANONYMOUS")@Secured("IS_AUTHENTICATED_ANONYMOUSLY")
When the controller methods get invoked, the following response is given: "HTTP Status 401 - Full authentication is required to access this resource"
Can someone help me understand why we are receiving this message and why ROLE_ANONYMOUS/IS_AUTHENTICATED_ANONYMOUSLY don't seem to work using this configuration?
Thanks,
JP
Upvotes: 8
Views: 15525
Answers (1)
Reputation: 7779
Your security configuration is blocking all unauthenticated requests. You should allow access to the controller with
.antMatchers("/mycontroller").permitAll()
See also:
Upvotes: 3
Related Questions
- Spring Security permitAll not allowing anonymous access
- How to configure Spring Security to avoid 'anonymousUser'
- Spring Boot Security - Anonymous User access on default mapping /
- Spring - Access denied for an Anonymous Authentication
- Spring Boot Security Anonymous authorization
- Spring security - allowing anonymous access
- Java based configuration to enable spring security anonymous access
- Spring security access="IS_AUTHENTICATED_ANONYMOUSLY, IS_AUTHENTICATED_FULLY, IS_AUTHENTICATED_REMEMBERED"
- Spring security | issue in granting access to anonymous users
- Spring Java configuration with spring-security