Spring: Security how to exclude certain resources..

Question

Hi,

I have the following definition...

    <bean id="fsi" class="org.springframework.security.intercept.web.FilterSecurityInterceptor">
    <property name="authenticationManager" ref="authenticationManager"/>
    <property name="accessDecisionManager" ref="httpRequestAccessDecisionManager"/>
    <property name="objectDefinitionSource">
      <sec:filter-invocation-definition-source >
            <sec:intercept-url pattern="/secure/css/**"        access="ROLE_TIER0"/>
            <sec:intercept-url pattern="/secure/images/**"     access="ROLE_TIER0"/>
            <sec:intercept-url pattern="/**"                   access="ROLE_TIER0"/>
      </sec:filter-invocation-definition-source>
    </property>
    </bean>

I'd like to have the resources on this url...

"/nonSecure/**"

Open to all calls, i.e. no security around it.

I've tried adding ...

<sec:intercept-url pattern="/nonsecure/**" access="permitAll" />

But this causes Websphere to throw an error about

Unsupported configuration attributes: [permitAll] 

Can anyone tell me how to exclude this URL from security?

Thanks Jeff Porter

Answer 1

I think you have to add use-expressions tag to your http configuration in security xml for example:

<http auto-config="true" use-expressions="true">
...
...
</http>

Edit: Well I am not sure what version of spring security you are using. I know this works on 3.0 but for older versions I am not sure.

Answer 2

Try:

<sec:intercept-url pattern="/nonsecure/**" filters="none" />