Spring Security all rolles except anonymous

Question

hi i have an spring security application

<http auto-config="true">
    <intercept-url pattern="/**" />
    <form-login authentication-failure-handler-ref="authenticationFailureHandler" authentication-success-handler-ref="authenticationSuccessHandler" login-page="${loginUrl}" authentication-failure-url="${loginUrl}" />
    <logout logout-url="/logout" invalidate-session="true" success-handler-ref="logoutSuccessHandler" />
    <anonymous enabled='false'/>
</http>

but anonymous user is not intercepted, how can i allow all roles but not ROLE_ANONYMOUS?

Answer 1

Try IS_AUTHENTICATED_FULLY:

<intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />

You can do the same thing using SpEL expression:

<http auto-config="true" use-expressions="true">
    ...        
    <intercept-url pattern="/**" access="isAuthenticated()" />        
    ...
</http>

All available expressions are listed here. In general SpEL expressions are more flexible.