Home/ Questions/Q 577011
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-13T14:06:29+00:00

I’m using the annotations provided by the Spring Security (AKA Acegi) plugin. I have

  • 0

I’m using the annotations provided by the Spring Security (AKA Acegi) plugin. I have controller actions annotated with 

@Secured(['ROLE_ADMIN', 'ROLE_USER'])

To indicate that they should be available to administrators and regular users. But now I need to indicate that an action is available to administrators and unregistered users. Is it possible to use annotations to indicate a user without any role, i.e. unregistered?

Thanks,
Don

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Here’s a solution that requires that you not be logged in, or that you have ROLE_ADMIN. You need a custom voter that processes a new ‘IS_NOT_AUTHENTICATED’ token:

    package com.burtbeckwith.grails.springsecurity

import org.springframework.security.Authentication
import org.springframework.security.AuthenticationTrustResolverImpl
import org.springframework.security.ConfigAttribute
import org.springframework.security.ConfigAttributeDefinition
import org.springframework.security.vote.AccessDecisionVoter

class NotLoggedInVoter implements AccessDecisionVoter {

   private authenticationTrustResolver = new AuthenticationTrustResolverImpl()

   int vote(Authentication authentication, object, ConfigAttributeDefinition config) {
      for (configAttribute in config.configAttributes) {
         if (supports(configAttribute)) {
            if (authenticationTrustResolver.isAnonymous(authentication)) {
               // allowed if not logged in
               return ACCESS_GRANTED
            }
            for (authority in authentication.authorities) {
               if ('ROLE_ADMIN' == authority.authority) {
                  // allowed if logged in as an admin
                  return ACCESS_GRANTED
               }
            }
         }
      }

      return ACCESS_DENIED
   }

   boolean supports(ConfigAttribute attribute) {
      'IS_NOT_AUTHENTICATED' == attribute?.attribute
   }

   boolean supports(Class clazz) {
      true
   }
}

    Register this as a bean in resources.groovy:

    beans = {
   notLoggedInVoter(com.burtbeckwith.grails.springsecurity.NotLoggedInVoter)
}

    and add it to the voters list in SecurityConfig.groovy by setting the ‘decisionVoterNames’ property:

    decisionVoterNames = ['notLoggedInVoter', 'authenticatedVoter', 'roleVoter']

    and annotate your controller action with this:

    @Secured(['IS_NOT_AUTHENTICATED'])

    and it’ll only allow non-authenticated users and authenticated users with ROLE_ADMIN.

    • 0