Home/ Questions/Q 8420617
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-10T02:55:16+00:00

In the spring security intercept-url config, if I define a particular role for a

  • 0

In the spring security intercept-url config, if I define a particular role for a particular path, say ROLE_USER, that path should be accessible only if the user has that authority. That makes sense, but if I set the role as ROLE_ANONYMOUS, <intercept-url pattern="/resources/**" access="ROLE_ANONYMOUS"/> shouldn’t it be accessible even when the user is authenticated, say when the user has an authority ROLE_USER? But that doesn’t happen.

Here is the log

Checking match of request : '/resources/js/test.js'; against '/resources/**'
Secure object: FilterInvocation: URL: /resources/js/test.js; Attributes: [ROLE_ANONYMOUS]
Previously Authenticated:   org.springframework.security.authentication.UsernamePasswordAuthenticationToken***********************************************
Voter: org.springframework.security.access.vote.RoleVoter@1712310, returned: -1

And then i get an access denied exception.I know it works fine if i add <intercept-url pattern="/resources/**" access="ROLE_ANONYMOUS,ROLE_USER"/> in my Http config. But in the above case, is it meant to be like that or am I doing something wrong.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    It’s the right way to write:

    <intercept-url pattern="/resources/**" access="ROLE_ANONYMOUS,ROLE_USER"/>

    You can check the official reference manual chapter about annonymous authentication where you’ll see following configuration:

    <bean id="filterSecurityInterceptor"
    class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
  <property name="authenticationManager" ref="authenticationManager"/>
  <property name="accessDecisionManager" ref="httpRequestAccessDecisionManager"/>
  <property name="securityMetadata">
    <security:filter-security-metadata-source>
      <security:intercept-url pattern='/index.jsp' access='ROLE_ANONYMOUS,ROLE_USER'/>
      <security:intercept-url pattern='/hello.htm' access='ROLE_ANONYMOUS,ROLE_USER'/>
      <security:intercept-url pattern='/logoff.jsp' access='ROLE_ANONYMOUS,ROLE_USER'/>
      <security:intercept-url pattern='/login.jsp' access='ROLE_ANONYMOUS,ROLE_USER'/>
      <security:intercept-url pattern='/**' access='ROLE_USER'/>
    </security:filter-security-metadata-source>" +
  </property>
</bean>

    Your understanding of ROLE_ANONYMOUS and ROLE_USER is a bit wrong, read more about them in this answer by Luke Taylor, one of Spring Security’s devs.

    • 0