How to skip spring authentication for specific method of controller

Question

How to skip a specific method from being authenticated in spring mvc. My spring_security.xml file contains:

<http auto-config="true" use-expressions="true">
      <intercept-url pattern="/logout" access="permitAll"/>
      <intercept-url pattern="/login" access="permitAll"/>
      <intercept-url pattern="/**" access="hasRole('ROLE_USER')"/>
      <logout logout-success-url="/logoutPage" logout-url="/logout" />
      <form-login authentication-failure-url="/login?auth=fail"
          login-page="/login"
          login-processing-url="/loginPage" 
          password-parameter="password"
          username-parameter="username"
      />
</http>
<global-method-security secured-annotations="enabled" pre-post-annotations="enabled" />

Now how can I skip authentication for a method defined below using annotation

@Controller
public class DataController {

    @PreAuthorize("permitAll")
    @RequestMapping(value = "/data/info", method = RequestMethod.GET, headers = "Content-Type=application/json")
    public @ResponseBody String getDetails() {
        // some code
    }
}

What I used is not working. Thanks.

Answer 1

try using something like that

<http pattern="/data/info**" security="none"/>  

Answer 2

There are two level of security in spring security :

• URL based security managed by intercept-url elements
• method based security mainly managed with PreAuthorize annotations.

You can mix the two, and method security can be used to very refined rules particurlarly with ACLs, and can be applied on service or model methods, but it cannot be used to overwrite URL based restrictions.

Answer 3

You can't. intercept-url is evaluated before controller annotations.

However you can solve it by adding following to your xml:

<intercept-url pattern="/data/info" access="permitAll"/>

The @PreAuthorize("permitAll") makes no sense since it basically is a no-op.