Spring Security: ‘permitAll’ vs security=’none’ vs …

  • access=”permitAll” works but requires use-expressions=”true” to be set. This will require that every access attribute evaluates as a valid expression (see link).
<http auto-config="true" use-expressions="true">
        <intercept-url pattern="/user/view" access="permitAll" />
        <intercept-url pattern="/topsecret/**" access="hasRole('ROLE_ADMIN')" />        

Forgetting to set use-expressions=”true” will result in Unsupported configuration attributes: [permitAll] during application startup. (see link)

  • filters=”none” became deprecated in Spring 3.1, it was replaced by the security attribute on <http> element.
  • security=”none” on <http> element replaces filter=”none” as of Spring 3.1: (see link). This completely disables Spring filters, which is ok for static pages, but not for JSPs that require functionally from Spring Security.
    <http pattern="/nonsecure/**" security="none"/>
  • IS_AUTHENTICATED_ANONYMOUSLY works only if not using expressions:
<http auto-config="true">
        <intercept-url pattern="/user/view" access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <intercept-url pattern="/topsecret/**" access="ROLE_ADMIN" />        


Posted in Java, Spring, Spring Security

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: