Course – LSS – NPI (cat=Spring Security)
announcement - icon

If you're working on a Spring Security (and especially an OAuth) implementation, definitely have a look at the Learn Spring Security course:

>> LEARN SPRING SECURITY

1. Overview

In this tutorial, we’ll learn about the methods permitAll() and anonymous() of the class HttpSecurity from Spring Security Framework. Spring Security Framework helps prevent vulnerability attacks and enables authentication and authorization of web applications. Leveraging it, web applications can control access to the server resources such as HTML forms, CSS files, JS files, Web Service endpoints, etc. It also helps enable RBAC (Role-Based Access Control) to access server resources.

There are always some parts of a web application that users can access only after authentication. However, there are also some parts where user authentication doesn’t matter. Interestingly, there are also scenarios where authenticated users cannot access certain server resources.

We’ll shortly discuss all of them and see how permitAll() and anonymous() methods help define these kinds of security accesses with Spring Security Expressions.

2. Security Requirements

Before we move ahead, let’s imagine an e-commerce website with the following requirements:

  • Both anonymous and authenticated users can view the products on the website
  • Audit entry for anonymous and authenticated user requests
  • Anonymous users can access the user registration form, whereas authenticated users cannot
  • Only authenticated user can view their shopping cart

3. Controller and WebSecurity Configuration

First, let’s define our controller class that has the endpoints of the e-commerce website:

@RestController
public class EcommerceController {
    @GetMapping("/private/showCart")
    public @ResponseBody String showCart() {
        return "Show Cart";
    }

    @GetMapping("/public/showProducts")
    public @ResponseBody String listProducts() {
        return "List Products";
    }

    @GetMapping("/public/registerUser")
    public @ResponseBody String registerUser() {
        return "Register User";
    }
}

Earlier, we discussed the security requirements of the website. Let’s implement those in the class EcommerceWebSecruityConfig:

@Configuration
@EnableWebSecurity
public class EcommerceWebSecurityConfig {
    @Bean
    public InMemoryUserDetailsManager userDetailsService(PasswordEncoder passwordEncoder) {
        UserDetails user = User.withUsername("spring")
          .password(passwordEncoder.encode("secret"))
          .roles("USER")
          .build();

        return new InMemoryUserDetailsManager(user);
    }
    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        return http.addFilterAfter(new AuditInterceptor(), AnonymousAuthenticationFilter.class)
            .authorizeHttpRequests(request -> request.requestMatchers(new AntPathRequestMatcher("/private/**"))
                .authenticated())
            .httpBasic(Customizer.withDefaults())
            .authorizeHttpRequests(request -> request.requestMatchers(new AntPathRequestMatcher("/public/showProducts"))
                .permitAll())
            .authorizeHttpRequests(request -> request.requestMatchers(new AntPathRequestMatcher("/public/registerUser"))
                .anonymous())
            .build();
    }
    
    @Bean
    public BCryptPasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }
}

Basically, we’ve defined the following:

  • An AuditInterceptor filter after AnonymousAuthenticationFilter to log requests made by anonymous and authenticated users
  • Users have to authenticate mandatorily to access URLs  with the path /private
  • All users can access the path /public/showProducts
  • Only anonymous users can access the path /public/registerUser

We’ve also configured a user spring that would be used throughout the article to invoke the web service endpoints defined in EcommerceController.

4. Method permitAll() in HttpSecurity

Basically, in the class EcommerceWebSecurityConfig, we used permitAll() to open endpoints /public/showProducts for allNow, let’s see if that works:

@WithMockUser(username = "spring", password = "secret")
@Test
public void givenAuthenticatedUser_whenAccessToProductLinePage_thenAllowAccess() throws Exception {
    mockMvc.perform(MockMvcRequestBuilders.get("/public/showProducts"))
      .andExpect(MockMvcResultMatchers.status().isOk())
      .andExpect(MockMvcResultMatchers.content().string("List Products"));
}

@WithAnonymousUser
@Test
public void givenAnonymousUser_whenAccessToProductLinePage_thenAllowAccess() throws Exception {
    mockMvc.perform(MockMvcRequestBuilders.get("/public/showProducts"))
      .andExpect(MockMvcResultMatchers.status().isOk())
      .andExpect(MockMvcResultMatchers.content().string("List Products"));
}

As expected, both anonymous and authenticated users can access the page.

Also, with Spring Security 6, permitAll() helps in securing static resources like JS and CSS files quite efficiently. Moreover, we should always prefer permitAll() over ignoring the static resources in the Spring Security Filter Chain. Because the Filter Chain will not be able to set the security headers on the ignored static resources.

5. Method anonymous() in HttpSecurity

Before we start implementing the requirement of the e-commerce website, it’s important to understand the idea behind the expression anonymous().

In line with the Spring Security principle, we need to define the permissions and limitations for all users. This stands valid for an anonymous user as well. Hence, they are associated with ROLE_ANONYMOUS.

5.1. Implement AuditInterceptor

Spring Security populates the Authentication object of an anonymous user in the AnonymousAuthenticationFilter. It’s helpful in auditing the operations performed by anonymous and registered users through an interceptor on the e-commerce website.

Here is the outline of the AuditInterceptor, which we configured earlier in the class EcommerceWebSecurityConfig:

public class AuditInterceptor extends OncePerRequestFilter {
    private final Logger logger = LoggerFactory.getLogger(AuditInterceptor.class);

    @Override
    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
      throws ServletException, IOException {

        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if (authentication instanceof AnonymousAuthenticationToken) {
            logger.info("Audit anonymous user");
        }
        if (authentication instanceof UsernamePasswordAuthenticationToken) {
            logger.info("Audit registered user");
        }
        filterChain.doFilter(request, response);
    }
}

Even for an anonymous user, the Authentication object is not null. This leads to a robust implementation of the AuditInterceptor. It has separate flows for auditing anonymous and authenticated users.

5.2. Deny Access to Register User Screen to Authenticated Users

In the class EcommerceWebSecurityConfig, with the expression anonymous(), we ensured that only anonymous users can access the endpoint public/registerUser. Whereas the authenticated users cannot access it.

Let’s see if it achieves the expected result:

@WithAnonymousUser
@Test
public void givenAnonymousUser_whenAccessToUserRegisterPage_thenAllowAccess() throws Exception {
    mockMvc.perform(MockMvcRequestBuilders.get("/public/registerUser"))
      .andExpect(MockMvcResultMatchers.status().isOk())
      .andExpect(MockMvcResultMatchers.content().string("Register User"));
}

So, an anonymous user could access the user registration page.

Similarly, will it be able to deny access to an authenticated user? Let’s find out:

@WithMockUser(username = "spring", password = "secret")
@Test
public void givenAuthenticatedUser_whenAccessToUserRegisterPage_thenDenyAccess() throws Exception {
    mockMvc.perform(MockMvcRequestBuilders.get("/public/registerUser"))
      .andExpect(MockMvcResultMatchers.status().isForbidden());
}

The above method successfully denies access to the user registration page to an authenticated user.

Unlike the permitAll() method, anonymous() can also be used to serve static resources when authentication is not needed for them.

6. Conclusion

In this tutorial, with the help of examples, we demonstrated the difference between permitAll() and anonymous() methods.

anonymous() is used when we’ve public content that should be accessible only to anonymous users. In contrast, permitAll() is used when we want to allow access to specific URLs for all users without distinguishing between their authentication statuses.

Finally, the examples can be found over on GitHub.

Course – LSS (cat=Security/Spring Security)

I just announced the new Learn Spring Security course, including the full material focused on the new OAuth2 stack in Spring Security:

>> CHECK OUT THE COURSE
res – Security (video) (cat=Security/Spring Security)
3 Comments
Oldest
Newest
Inline Feedbacks
View all comments
Comments are open for 30 days after publishing a post. For any issues past this date, use the Contact form on the site.