How do I get permitAll in Spring Security to NOT throw AuthenticationCredentials?

[mystic]

I have a controller that has many actions, but one of the actions I want to let anyone in (the "show" action).

Code:

	@RequestMapping("/show/{pressReleaseId}")
	@PreAuthorize("permitAll")
	public ModelAndView show(@PathVariable long pressReleaseId) {
		ModelAndView modelAndView = new ModelAndView(view("show"));

		modelAndView.addObject("pressRelease",
			sysAdminService.findPressRelease(pressReleaseId));

		return modelAndView;
	}

Unfortunately, Spring Security throws this exception:

Code:

    org.springframework.security.authentication.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext
    	at org.springframework.security.access.intercept.AbstractSecurityInterceptor.credentialsNotFound(AbstractSecurityInterceptor.java:321)
    	at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:195)
    	at org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:64)

How can I get Spring Security to NOT throw this exception? I just want to let anyone in - non-authenticated users and authenticated users - Everyone.

My only solution is to put this method into another controller altogether with no @PreAuthorize at all... which will work, but that's stupid. I want to keep all my press release actions in the same controller.

Thanks for the help!

[Rob Winch]

Did you try removing the annotation? If you want to explicitly state it, then you need to ensure that Spring is filtering on that URL and you have anonymous authentication setup. If you still have problems post your Spring Security configuration.

[mystic]

Well, I could do that, but I think this begs the question of, "What good are my default annotations at the class level if I can't make a few actions require no authentication?"

Let's say I have a controller with 9 actions, and 2 of them should not be authenticated. Because of their cohesiveness, it makes sense to put all of them in the same class.

The only way to do this currently is to put 7 annotations in the controller class, one for each action that requires pre authorization and leave 2 of them without annotations.

In this example, all of these annotations are the same, so you are repeating yourself 7 times. Let's not forget, because you're not doing this at the class level, you are pretty much forced to write 7 additional tests to ensure that each annotation is working (it's easy to forget 1 or so when you don't look at the class in a few months... which is very error prone).

This is, in fact, what I had to do.

Contrast this with a better possibility - you define your default annotation at the class level, and then only use 2 annotations to specify "no pre authorization required". That's only 3 annotations vs 7, and I dare say, it is far more intuitive.

A good solution would be a no-op like this:

@PreAuthorize("true");

It's not pretty, but it could mean let anything and everything pass. You can make "true" whatever you want, but I'm sure you get the point.

That would make class-level annotations much more useful. Right now, I sort of see this a design problem in it's current working state, unless I totally don't know about some feature that would already do this.

[Rob Winch]

Well, I could do that, but I think this begs the question of, "What good are my default annotations at the class level if I can't make a few actions require no authentication?"

Ok so it sounds like you want to use the second option I gave.

[mystic]

Can I do this through annotations? I don't want to have a small % of my security configuration in the xml because I have so many controllers with annotations that this will go unnoticed at some point :/

[Rob Winch]

You can set up the filters using name space configuration which you likely already did for the urls that required roles. Look for filters=none within your configuration. If you do not see that ensure you have anonymous authentication setup. If you still have problems post your configuration and perhaps I or someone else can point you in the right direction.