Confusion around Spring Security anonymous access using Java Config

I am using the following Java Config with Spring Security:

protected void configure(HttpSecurity http) throws Exception {
    http
        .authorizeRequests()
            .anyRequest().authenticated()
            .and()
        .httpBasic();
}

Based on this configuration, all requests are authenticated. When you hit a controller without being authenticated, the AnonymousAuthenticationFilter will create an Authentication object for you with username=anonymousUser, role=ROLE_ANONYMOUS .

I am trying to provide anonymous access to aa specific controller method and have tried to use each of the following:

@Secured("ROLE_ANONYMOUS")

@Secured("IS_AUTHENTICATED_ANONYMOUSLY")

When the controller methods get invoked, the following response is given: "HTTP Status 401 - Full authentication is required to access this resource"

Can someone help me understand why we are receiving this message and why ROLE_ANONYMOUS / IS_AUTHENTICATED_ANONYMOUSLY don't seem to work using this configuration?

Thanks,
JP

---

Your security configuration is blocking all unauthenticated requests. You should allow access to the controller with

.antMatchers("/mycontroller").permitAll()

See also:

http://spring.io/blog/2013/07/03/spring-security-java-config-preview-web-security/

链接地址: http://www.djcxy.com/p/19394.html

上一篇: Spring Data Rest ManytoMany POST

下一篇: 使用Java Config混淆Spring Security匿名访问