I have
<security:http use-expressions="true">
<security:intercept-url pattern="/**/*" access="hasRole('ROLE_USER')"/>
in the Spring Security context configuration file and
@PreAuthorize("permitAll")
@RequestMapping("/public")
public String aMethod() {
// ...
}
in a controller.
What I want is that all the URLs to require authentication except public. Is this possible?
<intercept-url> in XML takes precedence over annotations. <intercept-url> works at URL level and annotations at method level.
If you are going to use spring security and spring <form-login /> then the approach below would serve you better.
<intercept-url pattern="/public/**"
access="permitAll" />
<intercept-url pattern="/restricted/**"
access="hasAnyRole('ROLE_USER', 'ROLE_ADMIN', 'ROLE_SOME')
@PreAuthorize("hasAnyRole('ROLE_ADMIN', 'ROLE_SOME')")
@RequestMapping("/restricted/aMethod")
public String aMethod() {
// ...
}
Anything under restricted can be accessed by three different roles. But specific path restricted/aMethod can be accessed by @PreAuthorize("ROLE_ADMIN") and @PreAuthorize("ROLE_SOME") but NOT by @PreAuthorize("ROLE_USER"). By default all three roles can access but when you mark some path with @PreAuthorize("ROLE_ADMIN") then user with ROLE_ADMIN can access that path.
If you think about it, @PreAuthorize("hasAnyRole('ROLE_ADMIN', 'ROLE_SOME')") act as narrowed or filtered access from a large set of ROLES to single(or set of roles) ROLE.
As you would notice, none of /restricted paths are accessible by permitAll. Its preferred to have /static/*.css and others under permitAll.
HTH