Spring Security ROLE_ANONYMOUS does not work when deny-by-default is activated

Question

I had enabled deny-by-default feature of security. With this I want to provide anonymous access on some controllers. For that I had enabled Anonymous authentication.

If

Answer 1

When using @PreAuthorize(value="hasRole('ROLE_ANONYMOUS')") and anyRequest().authenticated(), you have configured your security chain to authenticate all requests, this catches the anonymous request and rejects it, before it gets to the controller.

Either you can configure using antMatchers("/").permitAll() or antMatchers("/").anonymous() to pass through the security filter chain.