Spring Security permitAll() not allowing anonymous access

Question

I have a single method that I want to allow both anonymous and authenticated access to.

I am using Spring Security 3.2.4 with java based configuration.

The o

Answer 1

@Override
public void configure(HttpSecurity http) throws Exception {
    http.anonymous().and()...;
}

@Override
public void configure(WebSecurity web) throws Exception {
    web.ignoring().mvcMatchers("/ping**");
}

Answer 2

Need to add .annonymous()

http
    .addFilterBefore(muiltpartFilter, ChannelProcessingFilter.class)
    .addFilterBefore(cf, ChannelProcessingFilter.class)
    .anonymous().and()
    .authorizeRequests().anyRequest().authenticated().and()
        .authorizeRequests()
            .antMatchers("/ping**")
            .permitAll()
            .and()
        .formLogin()
            .loginPage("/login")
            .permitAll()
            .and()
        .logout()
            .logoutUrl("/logout")
        .logoutSuccessUrl("/login");

Referred from: https://stackoverflow.com/a/25280897/256245

Answer 3

The permission order is important, it works when I configure it like this:

.authorizeRequests()
        .antMatchers("/ping**")
        .permitAll()
        .and()
.authorizeRequests()
        .anyRequest()
        .authenticated()
        .and()

Answer 4

I saw the same issue. Make sure you didn't call
super.configure(http);
anyRequest().authenticated();
is called by default.