Spring Security permitAll not allowing anonymous access

JavaSpringSpring MvcSpring Security

Java Problem Overview

I have a single method that I want to allow both anonymous and authenticated access to.

I am using Spring Security 3.2.4 with Java based configuration.

The overridden configure method (in my custom configuration class extending WebSecurityConfigurerAdapter) has the following http block:

    http
		.addFilterBefore(muiltpartFilter, ChannelProcessingFilter.class)
		.addFilterBefore(cf, ChannelProcessingFilter.class)
		.authorizeRequests()
			.anyRequest()
			.authenticated()
			.and()
		.authorizeRequests()
			.antMatchers("/ping**")
			.permitAll()
			.and()
		.formLogin()
			.loginPage("/login")
			.permitAll()
			.and()
		.logout()
			.logoutUrl("/logout")
		.logoutSuccessUrl("/login");

The ping request handler and method is in a controller that also contains the login handler, and it has no separate @PreAuthorize or other annotations that might cause the issue.

The problem is that anonymous access is denied and the user is redirected to the login page.

Logging at the debug level, I see the following feedback from Spring Security:

[2014-07-11 13:18:04,483] [DEBUG] [org.springframework.security.web.access.intercept.FilterSecurityInterceptor] Secure object: FilterInvocation: URL: /ping; Attributes: [authenticated]
[2014-07-11 13:18:04,483] [DEBUG] [org.springframework.security.web.access.intercept.FilterSecurityInterceptor] Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@6faad796: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@ffffa64e: RemoteIpAddress: 192.168.2.128; SessionId: 0EF6B13BBA5F00C020FF9C35A6E3FBA9; Granted Authorities: ROLE_ANONYMOUS
[2014-07-11 13:18:04,483] [DEBUG] [org.springframework.security.access.vote.AffirmativeBased] Voter: org.springframework.security.web.access.expression.WebExpressionVoter@123f2882, returned: -1
[2014-07-11 13:18:04,483] [DEBUG] [org.springframework.security.web.access.ExceptionTranslationFilter] Access is denied (user is anonymous); redirecting to authentication entry point

What I'm trying to accomplish is to have a method that can be called at any point and which will send a reply indicating whether or not the request is inside a logged-in session.

Java Solutions

Solution 1 - Java

The permission order is important, it works when I configure it like this:

.authorizeRequests()
        .antMatchers("/ping**")
        .permitAll()
        .and()
.authorizeRequests()
        .anyRequest()
        .authenticated()
        .and()

Solution 2 - Java

I saw the same issue. Make sure you didn't call
super.configure(http);
anyRequest().authenticated();
is called by default.

Solution 3 - Java

Need to add .annonymous()

http
    .addFilterBefore(muiltpartFilter, ChannelProcessingFilter.class)
    .addFilterBefore(cf, ChannelProcessingFilter.class)
    .anonymous().and()
    .authorizeRequests().anyRequest().authenticated().and()
        .authorizeRequests()
            .antMatchers("/ping**")
            .permitAll()
            .and()
        .formLogin()
            .loginPage("/login")
            .permitAll()
            .and()
        .logout()
            .logoutUrl("/logout")
        .logoutSuccessUrl("/login");

Referred from: https://stackoverflow.com/a/25280897/256245

Solution 4 - Java

I was struggling with this a problem for a day. What I had to do in the end is to remove the @Component annotation from my filter, and instantiate it manually, as described in this answer.

So for the original question this would look something like:

http
    .addFilterBefore(new MultiPartFilter(), ChannelProcessingFilter.class)
    .addFilterBefore(new OtherFilter(), ChannelProcessingFilter.class)
    .authorizeRequests() // ... rest omitted for brevity

I also had to remove these endpoints from spring security altogether by overriding configure(WebSecurity web) as described in J. Perez's answer:

@Override
public void configure(WebSecurity web) throws Exception {
    web.ignoring().antMatchers("/ping**");
}

Solution 5 - Java

@Override
public void configure(HttpSecurity http) throws Exception {
	http.anonymous().and()...;
}

@Override
public void configure(WebSecurity web) throws Exception {
	web.ignoring().mvcMatchers("/ping**");
}

Solution 6 - Java

This occurred to me due to that I'm setting the blank token API request, I had to remove this from my angular

if (token) {
    newHeaders = newHeaders.append('Authorization', 'Bearer' + ' ' + token);
}

Here the token is empty

Solution 7 - Java

Make sure the class is annotated with @Configuration. 臘‍♀️

Categories
Recommended Java Solutions
Recommended Spring Solutions
Recommended Spring Mvc Solutions
Recommended Spring Security Solutions

Previous Solution:

Raw use of parameterized class

JavaGenerics

Next Solution:

Why does my GitHub page do not update its content?

GithubGithub Pages

Attributions

All content for this solution is sourced from the original question on Stackoverflow.

The content on this page is licensed under the Attribution-ShareAlike 4.0 International (CC BY-SA 4.0) license.

Content TypeOriginal AuthorOriginal Content on Stackoverflow
QuestionMarceauView Question on Stackoverflow
Solution 1 - Javasamsong8610View Answer on Stackoverflow
Solution 2 - JavaPeiSongView Answer on Stackoverflow
Solution 3 - JavaKrisView Answer on Stackoverflow
Solution 4 - JavajohnnyaugView Answer on Stackoverflow
Solution 5 - JavaJ. JerezView Answer on Stackoverflow
Solution 6 - JavaPrabhakar ThangavelView Answer on Stackoverflow
Solution 7 - JavaAnand RockzzView Answer on Stackoverflow