Spring Security: how to exclude certain resources?

Question

I have the following definition...

    <bean id="fsi" class="org.springframework.security.intercept.web.FilterSecurityInterceptor">
    <property name="authenticationManager" ref="authenticationManager"/>
    <property name="accessDecisionManager" ref="httpRequestAccessDecisionManager"/>
    <property name="objectDefinitionSource">
      <sec:filter-invocation-definition-source >
            <sec:intercept-url pattern="/secure/css/**"        access="ROLE_TIER0"/>
            <sec:intercept-url pattern="/secure/images/**"     access="ROLE_TIER0"/>
            <sec:intercept-url pattern="/**"                   access="ROLE_TIER0"/>
      </sec:filter-invocation-definition-source>
    </property>
    </bean>

I'd like to have the resources on this url...

"/nonSecure/**"

Open to all calls, i.e. no security around it.

I've tried adding ...

<sec:intercept-url pattern="/nonsecure/**" access="permitAll" />

But this causes Websphere to throw an error about

Unsupported configuration attributes: [permitAll] 

Can anyone tell me how to exclude this URL from security?

Answer 1

<security:http auto-config='true'>
    <security:intercept-url pattern="/getfeed/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
    <security:intercept-url pattern="/**" access="ROLE_USER, ROLE_ADMIN" />
    <security:http-basic />
</security:http>

access="IS_AUTHENTICATED_ANONYMOUSLY" Is the solution. I found it on the following link http://syntx.io/adding-http-basic-auth-to-restful-services-in-java-and-spring/

Intercepts are evaluated top down. If you write this /** before /getIntelFeed/** then all service would go through /** and security would be applied on all services. In such case /getIntelFeed/** would be ineffective.

Answer 2

Try:

<sec:intercept-url pattern="/nonsecure/**" filters="none" />

Answer 3

In spring security 3.1.x the use of filters="none" is deprecated. Instead you use multiple <http> tags like this:

<http pattern="/nonsecure/**" security="none"/>

http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#ns-form-and-basic

Answer 4

I think you have to add use-expressions tag to your http configuration in security xml for example:

<http auto-config="true" use-expressions="true">
...
...
</http>

Edit: Well I am not sure what version of spring security you are using. I know this works on 3.0 but for older versions I am not sure.

Answer 5

To be able to use expressions such as [permitAll] you have to add a a WebExpressionVoter to your AccessDecisionManager

Answer 6

You don't specify the rest of your configuration, and since it looks like you have explicit bean configuration, it's hard for us to guess exactly how you have things configured. I'll say that some combination of the above answers is correct.

1. If you are using Spr Sec 3, Gopi's answer is correct if you want to enable SpEL expressions (and have the corresponding beans which can evaluate them also configured). This can be hard if you are not using the http namespace.
2. If you have an appropriate filter configured for setting up a SecurityContext for unauthenticated (anonymous) users, then setting role="IS_AUTHENTICATED_ANONYMOUSLY,IS_AUTHENTICATED_FULLY,IS_AUTHENTICATED_REMEMBERED" or some combination thereof should work.
3. If all else fails, as several folks have suggested, filters="none" will do what you want, but take care that you really don't need anything to do with Spring Security in the code underlying the pages you are rendering, otherwise you may find yourself scratching your head later on.

Good luck!