17

I have implemented Oauth2 in my spring-boot app. In my security-context.xml, I have these lines -

<sec:intercept-url pattern="/trusted/**" access="isAnonymous()" />
<sec:intercept-url pattern="/**" access="isFullyAuthenticated()" />

I want everything under /trusted to be available without authentication. However, I am still prompted for authentication when I try to access /trusted resources (theses are RESTful resources).

Did I miss something else ?

[Edit:] I am running this app with a 'provided' tomcat instance.

mic4ael
  • 7,974
  • 3
  • 29
  • 42
NRJ
  • 1,064
  • 3
  • 15
  • 32
  • 1
    isAnonymous() implies that you have anonymous user configured. I would do something like this: –  Aug 14 '15 at 21:45
  • Stackoverflow is going to award bounty to somebody but I didn't get a working answer. – NRJ Aug 18 '15 at 22:30

3 Answers3

7

You just need to replace the trusted intercept expression access attribute and it should work:

<sec:intercept-url pattern="/trusted/**" filters="none" />
<sec:intercept-url pattern="/**" access="isFullyAuthenticated()" />

Though since Spring Security 3.1 has deprecated filters, you ought to use http tags to achieve the same effect:

<http pattern="/trusted/**" security="none"/>

<http auto-config='true'>
  <intercept-url pattern="/**" access="isFullyAuthenticated()" />
  <form-login login-page='/login.jsp'/>
</http>

You can read more about this here.

Daniel Cottone
  • 4,257
  • 24
  • 39
  • Now I get org.springframework.security.authentication.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext – NRJ Jul 21 '15 at 00:25
  • 1
    Sounds like you have some other problem with your authentication setup. – Daniel Cottone Jul 21 '15 at 01:10
  • I have modeled after https://github.com/skate056/spring-security-oauth2-google do you know of some other working example with google oath provider and spring boot? – NRJ Jul 21 '15 at 01:17
2
<http>
<intercept-url pattern="/trusted/**" access="ROLE_USER,ROLE_GUEST" />
<intercept-url pattern="/messagePost.htm*" access="ROLE_USER" />
<intercept-url pattern="/messageDelete.htm*" access="ROLE_ADMIN" />
<anonymous username="guest" granted-authority="ROLE_GUEST" />
<remember-me />
</http>

<anonymous username="guest" granted-authority="ROLE_GUEST" />

You can define a role like ROLE_GUEST and mention like what the above code does. Any anonymous member can access the url pattern under ROLE_GUEST

MS Ibrahim
  • 1,789
  • 1
  • 16
  • 28
0

You configuration is wrong. Now image what's happening, you are telling Spring security to allow anonymous access to everything under /trusted/** which is OK, but then you tell it again to restrict all anonymous access under /** - which is every path in your application, which obviously restricts access to /trusted/** as well.

You need to change your configuration into something like this:

<sec:intercept-url pattern="/trusted/**" access="isAnonymous()" />
<sec:intercept-url pattern="/secure/**" access="isFullyAuthenticated()" />

and it will work.

Paulius Matulionis
  • 23,085
  • 22
  • 103
  • 143
  • your answer makes sense, but then I am getting this exception -2015-08-17 20:10:30.760 ERROR 18078 --- [io-8080-exec-10] o.s.boot.context.web.ErrorPageFilter : Forwarding to error page from request [/monitor/123] due to exception [An Authentication object was not found in the SecurityContext] org.springframework.security.authentication.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext – NRJ Aug 18 '15 at 00:11