I am trying to make a resource that can be accessed by both authenticated and unauthenticated users. I also have the remember-me authentication in place. For a user accessing the resource (page), I want the remember-me authentication to try and sign-in the person. If the sign-in wasn’t successful, I want the page to still show up but act differently. When I write my security intercept urls, I can either choose “none or “Role_User”. Can I make spring work in a way where it tries the ROLE_USER, if it doesn’t succeed, then it should gracefully degrade to “None” ? Here is how my spring config looks.

<security:http auto-config='true'>
 <security:intercept-url pattern="/dynamicPage" filters="none"/>
  <security:intercept-url pattern="/**" access="ROLE_USER" />
  <security:form-login login-page="/index"
        default-target-url="/home" always-use-default-target="true"
        authentication-success-handler-ref="AuthenticationSuccessHandler"        
        login-processing-url="/j_spring_security_check" 
        authentication-failure-url="/index?error=true"/>
   <security:remember-me key="myLongSecretCookieKey" token-validity-seconds="1296000" 
        data-source-ref="jdbcDataSource" user-service-ref="AppUserDetailsService" />
</security:http>

I want the dynamic page to try “Role_User” with remember-me auth, wait for a failure then fall back to “none”. Is there a recommended way of doing this?

I have learn’t about expressions like isRememberMe() and chained expressions, but I still don’t know how I can solve this problem. What I want is something like this.

<security:intercept-url pattern="/dynamicPage" filters="ROLE_USER,none"/>

Since, none isn’t returned by the getAuthorities query, I need to find some other way of doing this.