20

Here is a part from Spring Security petclinic example:

<http use-expressions="true">
    <intercept-url pattern="/" access="permitAll"/>
    <intercept-url pattern="/static/**" filters="none" />
    <intercept-url pattern="/**" access="isAuthenticated()" />
    <form-login />
    <logout />
</http>

What is the difference between access="permitAll" and filters="none"?

Url: http://static.springsource.org/spring-security/site/petclinic-tutorial.html

kamaci
  • 72,915
  • 69
  • 228
  • 366

1 Answers1

32

The difference is that filters = "none" disables Spring Security filters for the specified URLs, whereas access = "permitAll" configures authorization without disabling filters.

In practice, filters = "none" may cause problems when resources behind it require some functionality of Spring Security. For example, you can't use it for user registration page that performs programmatic login on submit (User Granted Authorities are always : ROLE_ANONYMOUS?).

Community
  • 1
  • 1
axtavt
  • 239,438
  • 41
  • 511
  • 482
  • So should I use `access = "permitAll"` instead of `filters = "none"` even for css and js files for a secured application? – kamaci Sep 12 '11 at 18:23
  • I commented at your link too. – kamaci Sep 12 '11 at 18:28
  • @kamaci: As far as I understand, `filters = "none"` shoudn't cause any problems for static resources. However, if you use it for dynamic resources, you need to keep the difference in mind. – axtavt Sep 12 '11 at 18:35
  • So I will use filters="none" for static resources? – kamaci Sep 12 '11 at 18:37
  • 2
    @kamaci: Yes, I think using `filers = "none"` for static resources wouldn't cause any problem. – axtavt Sep 13 '11 at 09:59