Spring Security: how to exclude certain resources?

Question

I have the following definition...

    <bean id="fsi" class="org.springframework.security.intercept.web.FilterSecurityInterceptor">
    <property name="authenticationManager" ref="authenticationManager"/>
    <property name="accessDecisionManager" ref="httpRequestAccessDecisionManager"/>
    <property name="objectDefinitionSource">
      <sec:filter-invocation-definition-source >
            <sec:intercept-url pattern="/secure/css/**"        access="ROLE_TIER0"/>
            <sec:intercept-url pattern="/secure/images/**"     access="ROLE_TIER0"/>
            <sec:intercept-url pattern="/**"                   access="ROLE_TIER0"/>
      </sec:filter-invocation-definition-source>
    </property>
    </bean>

I'd like to have the resources on this url...

"/nonSecure/**"

Open to all calls, i.e. no security around it.

I've tried adding ...

<sec:intercept-url pattern="/nonsecure/**" access="permitAll" />

But this causes Websphere to throw an error about

Unsupported configuration attributes: [permitAll]

Can anyone tell me how to exclude this URL from security?

You should consider to accept enyo answer because old Gandalf approach is no longer supported. — michal.kreuzman, Aug 16 '12 at 19:58

score 86 · Accepted Answer · edited Oct 09 '12 at 12:03

86

In spring security 3.1.x the use of filters="none" is deprecated. Instead you use multiple <http> tags like this:

<http pattern="/nonsecure/**" security="none"/>

http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#ns-form-and-basic

edited Oct 09 '12 at 12:03

Lukas Eder

211,314
129
689
1,509

answered Mar 21 '11 at 18:49

enyo

16,269
9
56
73

This was deprecated in a minor release? Incredible! – Lukas Eder Oct 09 '12 at 12:03

score 24 · Answer 2 · edited Oct 09 '12 at 12:02

24

I think you have to add use-expressions tag to your http configuration in security xml for example:

<http auto-config="true" use-expressions="true">
...
...
</http>

Edit: Well I am not sure what version of spring security you are using. I know this works on 3.0 but for older versions I am not sure.

edited Oct 09 '12 at 12:02

Lukas Eder

211,314
129
689
1,509

answered Aug 03 '10 at 08:23

Gopi

10,073
4
31
45

2

Beware using the attribute `auto-config`--I just learned that the hard way. From the Spring [documentation](http://docs.spring.io/spring-security/site/docs/3.2.5.RELEASE/reference/htmlsingle/#appendix-namespace): "Use of this attribute is not recommended." – mbroshi Oct 10 '14 at 20:49

score 19 · Answer 3 · edited Sep 22 '14 at 05:28

19

<security:http auto-config='true'>
    <security:intercept-url pattern="/getfeed/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
    <security:intercept-url pattern="/**" access="ROLE_USER, ROLE_ADMIN" />
    <security:http-basic />
</security:http>

access="IS_AUTHENTICATED_ANONYMOUSLY" Is the solution. I found it on the following link http://syntx.io/adding-http-basic-auth-to-restful-services-in-java-and-spring/

Intercepts are evaluated top down. If you write this /** before /getIntelFeed/** then all service would go through /** and security would be applied on all services. In such case /getIntelFeed/** would be ineffective.

edited Sep 22 '14 at 05:28

Faheem Sohail

806
8
21

answered Jun 21 '12 at 07:01

Muhammad Haris Altaf

567
6
14

I added the `access="IS_AUTHENTICATED_ANONYMOUSLY` for my `intercept-url pattern` entry. However, I got a 401 error when trying to access the pattern url. Why would that be? Note that I followed your "intercepts are evaluated top down" caution. – Kevin Meredith Apr 19 '13 at 16:58
Please review the link in post for details. If you are facing issues even after following link then please share your code. – Muhammad Haris Altaf Apr 29 '13 at 15:03
The link in this answer is dead :/ – rvaldron Feb 17 '14 at 21:54

score 17 · Answer 4 · edited Oct 09 '12 at 12:03

17

Try:

<sec:intercept-url pattern="/nonsecure/**" filters="none" />

edited Oct 09 '12 at 12:03

Lukas Eder

211,314
129
689
1,509

answered Aug 03 '10 at 16:37

Gandalf

9,648
8
53
88

2

I agree with this answer in general; however, one common issue with filters="none" that people often miss is that without Spring Security filters in the chain, there is NO SecurityContext, thus non-obvious security checks (e.g. service-layer annotations or JSP custom tags referencing Spring Security objects) may unexpectedly fail. Be careful if you are using filters="none" on pages with dynamic content! – Peter Mularien Mar 23 '11 at 02:54
30

filters="none" is no longer supported in Spring 3.1 – Eugen Jan 10 '12 at 11:20
does `filters="none"` skip custom filters as well? – Kevin Meredith May 13 '14 at 14:30
2

```org.springframework.beans.factory.parsing.BeanDefinitionParsingException: Configuration problem: The use of "filters='none'" is no longer supported. Please define a separate element for the pattern you want to exclude and use the attribute "security='none'"``` – Clint Eastwood Jul 14 '15 at 15:36
IntelliJ also gives an error about this, but we are using spring-security 3.1 without problems and with this attribute, which is still correct according to the official docs at http://docs.spring.io/autorepo/docs/spring-security/3.1.x/reference/springsecurity-single.html#d0e3264 – Gregor Oct 09 '15 at 14:46
while filters="none" is now deprecated, there is an equally useful equivalent in security="none" (see enyo's answer) – drrob Jan 04 '16 at 17:38

score 3 · Answer 5 · answered Apr 15 '11 at 21:25

3

To be able to use expressions such as [permitAll] you have to add a a WebExpressionVoter to your AccessDecisionManager

answered Apr 15 '11 at 21:25

Luxspes

6,268
2
28
31

6

Specifying use-expressions in the http tag does this for you. – Jason May 01 '12 at 14:58

score 0 · Answer 6 · answered Mar 23 '11 at 03:07

You don't specify the rest of your configuration, and since it looks like you have explicit bean configuration, it's hard for us to guess exactly how you have things configured. I'll say that some combination of the above answers is correct.

If you are using Spr Sec 3, Gopi's answer is correct if you want to enable SpEL expressions (and have the corresponding beans which can evaluate them also configured). This can be hard if you are not using the http namespace.
If you have an appropriate filter configured for setting up a SecurityContext for unauthenticated (anonymous) users, then setting role="IS_AUTHENTICATED_ANONYMOUSLY,IS_AUTHENTICATED_FULLY,IS_AUTHENTICATED_REMEMBERED" or some combination thereof should work.
If all else fails, as several folks have suggested, filters="none" will do what you want, but take care that you really don't need anything to do with Spring Security in the code underlying the pages you are rendering, otherwise you may find yourself scratching your head later on.

Good luck!

Spring Security: how to exclude certain resources?

6 Answers6

Linked