Java based configuration to enable spring security anonymous access

Question

I want to enable the use of \"ROLE_ANONYMOUS\" to allow anonymous access to some urls in my app. And I used the below configuration.

@Overr         


        

Answer 1

This should solve your issue.

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
        ...
        .formLogin().loginPage("/login").permitAll()
        ...

But if you prefer not to use permitAll but to stick to anonymous roled user (it would be the same effect on both situation but yet if that's wht you prefer) then try this in the controller.

@Secured("ROLE_ANONYMOUS")
@RequestMapping(method=RequestMethod.GET)
public String get(){
    ...

Answer 2

As Faraj Farook wrote, you have to permit access to your login page URL. You commented the relevant line out:

@Override
protected void configure(HttpSecurity http) throws Exception {
     http
        .anonymous()
            .authorities("ROLE_ANONYMOUS")
            .and()
        .headers()
             .cacheControl()
             .and()
        .authorizeRequests()
            .antMatchers("/").permitAll()
            .antMatchers("/profile/image").permitAll()
            .antMatchers("/favicon.ico").permitAll()
            .antMatchers("/resources/**").permitAll()

            .antMatchers(HttpMethod.GET, "/login/**").permitAll()

            .anyRequest().authenticated()
}

But if you prefer not to use permitAll() you could use hasAuthority("ROLE_ANONYMOUS"). In this case you don't need to annotate your method with @Secured( value={"ROLE_ANONYMOUS"}).