Spring Security: how to exclude certain resources?

spring-security

I have the following definition...

    <bean id="fsi" class="org.springframework.security.intercept.web.FilterSecurityInterceptor">
    <property name="authenticationManager" ref="authenticationManager"/>
    <property name="accessDecisionManager" ref="httpRequestAccessDecisionManager"/>
    <property name="objectDefinitionSource">
      <sec:filter-invocation-definition-source >
            <sec:intercept-url pattern="/secure/css/**"        access="ROLE_TIER0"/>
            <sec:intercept-url pattern="/secure/images/**"     access="ROLE_TIER0"/>
            <sec:intercept-url pattern="/**"                   access="ROLE_TIER0"/>
      </sec:filter-invocation-definition-source>
    </property>
    </bean>

I'd like to have the resources on this url...

"/nonSecure/**"

Open to all calls, i.e. no security around it.

I've tried adding ...

<sec:intercept-url pattern="/nonsecure/**" access="permitAll" />

But this causes Websphere to throw an error about 

Unsupported configuration attributes: [permitAll]

Can anyone tell me how to exclude this URL from security?


Solution 1:

In spring security 3.1.x the use of filters="none" is deprecated. Instead you use multiple <http> tags like this:

<http pattern="/nonsecure/**" security="none"/>

http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#ns-form-and-basic

Solution 2:

I think you have to add use-expressions tag to your http configuration in security xml for example:

<http auto-config="true" use-expressions="true">
...
...
</http>

Edit: Well I am not sure what version of spring security you are using. I know this works on 3.0 but for older versions I am not sure.

Solution 3:

<security:http auto-config='true'>
    <security:intercept-url pattern="/getfeed/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
    <security:intercept-url pattern="/**" access="ROLE_USER, ROLE_ADMIN" />
    <security:http-basic />
</security:http>

access="IS_AUTHENTICATED_ANONYMOUSLY" Is the solution. I found it on the following link http://syntx.io/adding-http-basic-auth-to-restful-services-in-java-and-spring/

Intercepts are evaluated top down. If you write this /** before /getIntelFeed/** then all service would go through /** and security would be applied on all services. In such case /getIntelFeed/** would be ineffective.

Solution 4:

Try:

<sec:intercept-url pattern="/nonsecure/**" filters="none" />

Related

Generate dynamic css based on variables angular
Start a service in a separate process android
SQLite keeps the database locked even after the connection is closed
How to increase scrollbar width in WPF ScrollViewer?
Updating input html field from within an Angular 2 test
Calculating point on a circle's circumference from angle in C#?
Disable or prevent multitouch in Activity
MySQL: #1075 - Incorrect table definition; autoincrement vs another key?
Moq: unit testing a method relying on HttpContext
How do I parse and convert DateTime’s to the RFC 822 date-time format?
Why do we need to use `int main` and not `void main` in C++? [duplicate]
How to select a directory and store the location using tkinter in Python