@PreAuthorize (permitAll) authentication still required

Question

@PreAuthorize (permitAll) authentication still required

I have the following sample method in my Repository (with @RepositoryRestResource annotation):

 @Override @PreAuthorize("permitAll") @PostAuthorize("permitAll") public Iterable<User> findAll();

But I still get 401 Unauthorized , an event when I add these permitAll annotations to the entire repository interface.

I got this as my WebSecurityConfigurerAdapter :

 @EnableWebSecurity @EnableGlobalMethodSecurity(prePostEnabled = true) @Configuration class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(final HttpSecurity http) throws Exception { http.authorizeRequests().anyRequest().fullyAuthenticated().and().httpBasic().and().csrf().disable(); } }

I believe that this takes precedence over these method annotations, boo, I don't know how to fix it.

+7

spring spring-security

Pitel Nov 05 '15 at 10:05

source share

1 answer

Leon · Accepted Answer · 2015-11-05T11:10:56+0000

The security method is applied after the web security filter.

Since you have anyRequest().fullyAuthenticated() in your configuration, your findAll method findAll never suffer. anyRequest().fullyAuthenticated() means that all attempts to access a web endpoint that does not have any of the user's full authentication will fail.

From JavaDoc

Indicate that the URLs are allowed by authenticated users and are not “remembered”.

You will need to add an extra path to your online safety, for example.

 protected void configure(final HttpSecurity http) throws Exception { http.authorizeRequests() .anyRequest().fullyAuthenticated() .antMatchers(HttpMethod.GET, '/somePath').permitAll() .and() .httpBasic() .and() .csrf().disable(); }

@PreAuthorize (permitAll) authentication still required

More articles: