I have a custom access decision manager bean, and have added three voters, AuthenticatedVoter, RoleVoter and a custom voter.
My http looks like this:
And my accessDecisionManager bean looks like:
<http auto-config="true" use-expressions="true" access-decision-manager-ref="accessDecisionManager">
<logout logout-url="/logout" logout-success-url="/" />
<form-login login-page="/login" default-target-url="/" />
<intercept-url pattern="/login" access="permitAll()" />
<intercept-url pattern="/**" access="isAuthenticated()" />
And this is not working, the isAuthenticated() part of the intercept-url does not seem to work in this configuration.
<beans:bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased">
<beans:bean class="org.springframework.security.access.vote.AuthenticatedVoter" />
<beans:bean class="org.springframework.security.access.vote.RoleVoter" />
<beans:bean class="net.mortenoh.spring.security.FridayAccessVoter" />
If I use @PreAuthorize("isAuthenticated()") on my controller, it asks for a login.
If I remove the reference to the access decision manager, and remove the annotation from the controller (which leaves only the access part of the intercept url), it works fine.
I'm guessing this is related to anonymousUser, but I'm not sure how to fix it. Is the default access decision manager using another voter I'm not aware of?