security:authorize ifNotGranted not working with Spring Security 3.0.3

[wgillett]

We are upgrading from Acegi Security 1.0.6 to Spring Security 3.0.3. On the login page, we were using this tag to show the login form only to users who have not logged in:

<@authz.authorize ifNotGranted="ROLE_USER">

With Spring Security 3.0.3, this no longer works. Looking at the source code for org.springframework.security.taglibs.authz.Authori zeTag, the doStartTag method bails out immediately when the authentication object is null, which happens in this case. So it doesn't matter what arguments are passed to the authorize tag, it will never render its body. After fiddling for a while, I came up with this alternative (we're using FreeMarker):

<#assign username>
<@security.authentication property="principal.username"/>
</#assign>
<#if username?length == 0>

In the not logged-in case, the username comes back null, so the username variable is set to an empty string and the test below returns true. Not elegant but it works. Is there a better way to do this, and is there a bug in the tag library? I would expect ifNotGranted to return true when the user is not logged in. See also:

https://jira.springframework.org/bro...ream-issue-tab

Walter Gillett

[maheshguruswamy]

I think the newer spring security framework expects the non secure resource to be set as role_anonymous i.e it expects 'some' role to be defined. In my application i explicitly set my non secure resources as role anonymous and used that to figure out who is logged in and who isn't.