Develop Reference

spring security - logout when session expires and also allowing anonymous user to access the functionality

I have a requirement to redirect to login page when session expires for a logged in user.
However the functionality is accessible as anonymous user (i.e the user not logged in) as well.
A feature "Search Address" is accessible by everyone, meaning logged in users and anonymous users (user not logged in)....
So the requirement is such, that when the user logs in and performs search, it should redirect if session has already expired, however just making it clear the same search should work if we don't login in (i.e anonymous).
An anonymous user is technically logged in, therefore they have a session created as well, however they wouldn't manually type user name/password in to login as opposed to the logged in user
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<security:http security="none"
pattern="^/(login\.jsp|customSkin|openlayers|images|js)[/\?].*$"
request-matcher="regex"/>
<security:http entry-point-ref="http403ForbiddenEntryPoint">
<security:anonymous enabled="true" granted-authority="ROLE_GENERIC" />
<security:custom-filter position="FORM_LOGIN_FILTER" ref="formLoginFilter"/>
<security:custom-filter position="PRE_AUTH_FILTER" ref="PreAuthenticationFilter"/>
<!-- <security:logout logout-success-url="/loginUI.jsp" /> -->
<security:logout logout-url="/logout" success-handler-ref="LogoutSuccessHandler" />
<security:session-management session-authentication-strategy-ref="sessionAuthenticationStrategy"/>
<!-- SMES Interceptors -->
<security:intercept-url pattern="/Mark**" access="ROLE_ABC_OSGV" />
<security:intercept-url pattern="/abc/admin/**" access="ROLE_ABC_OSGV" />
<security:intercept-url pattern="/abc/edit/**" access="ROLE_ABC_OSGV,ROLE_ABC_REGISTERED_USER" />
<security:intercept-url pattern="/abclookup/**" access="ROLE_ABC_OSGV,ROLE_ABC_REGISTERED_USER,ROLE_GENERIC,ROLE_ADMIN,ROLE_EDIT,ROLE_ABC_ADMIN,ROLE_ABC_HCA" />
<security:intercept-url pattern="/general/**" access=
"ROLE_ABC,
ROLE_GENERIC,
ROLE_ADMIN,
ROLE_ABC_EXPORT,
ROLE_EDIT,
ROLE_ABC,
ROLE_ABC_TPC,
ROLE_ABC_VMT,
ROLE_ABC_S,
ROLE_ABC_DATA_GENERIC,
ROLE_ABC_DATA_ADMIN,
ROLE_ABC_OSGV,
ROLE_ABC_REGISTERED_USER,
ROLE_ABC_ADMIN,
ROLE_ABC_HCA,
ROLE_ABC_NAMES" />
<!-- SMES Interceptors -->
<security:intercept-url pattern="/vicnames/edit/**" access="ROLE_ABC_ADMIN,ROLE_ABC_HCA" />
<security:intercept-url pattern="/vicnames/admin/**" access="ROLE_ABC_ADMIN" />
<!-- LASSI Interceptors -->
<security:intercept-url pattern="/edit/**" access="ROLE_ADMIN,ROLE_EDIT" />
<security:intercept-url pattern="/broadcast/save**" access="ROLE_EDIT" />
<security:intercept-url pattern="/edmbooking/admin/**" access="ROLE_ABC_BOOKING_ADMIN" />
<security:intercept-url pattern="/adminUdateLogicaLabels**" access="ROLE_ADMIN,ROLE_EDIT" />
<security:intercept-url pattern="/**" access=
"ROLE_DQA,
ROLE_GENERIC,
ROLE_ADMIN,
ROLE_DQA_EXPORT,
ROLE_EDIT,
ROLE_APS,
ROLE_ABC_TPC,
ROLE_ABC_VMT,
ROLE_ABC_TEST,
ROLE_ABC_DATA_GENERIC,
ROLE_ABC_DATA_ADMIN,
ROLE_ABC_OSGV,
ROLE_ABC_REGISTERED_USER,
ROLE_ABC_ADMIN,
ROLE_ABC_HCA,
ROLE_ABC_NAMES" />
<security:access-denied-handler ref="accessDeniedHandler"/>
</security:http>
<bean id="LogoutSuccessHandler"
class="LogoutHandlerImpl">
</bean>
<bean id="http403ForbiddenEntryPoint"
class="CustomHttp403ForbiddenEntryPoint">
</bean>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="preAuthenticationProvider" />
<security:authentication-provider ref="myProfileAuthenticationProvider" />
</security:authentication-manager>
<bean id="preAuthenticationFilter" class="PreAuthenticatedProcessingFilter">
<property name="authenticationManager" ref="authenticationManager" />
</bean>
<bean id="formLoginFilter" class="UsernamePasswordAuthenticationFilter">
<property name="authenticationManager" ref="authenticationManager" />
<property name="authenticationSuccessHandler" ref = "authenticationSuccessHandler"/>
<property name="authenticationFailureHandler" ref = "authenticationFailureHandler" />
</bean>
<bean id="authenticationSuccessHandler"
class="AuthenticationSuccessHandlerImpl">
<!--<property name="defaultTargetUrl" value="/login.jsp"/>-->
<property name="alwaysUseDefaultTargetUrl" value="true" />
</bean>
<bean id="authenticationFailureHandler"
class="AuthenticationFailureHandler">
<!-- <property name="defaultFailureUrl" value="/sessionTimeout.jsp?login_error=true"/> -->
<property name="defaultFailureUrl" value="/login.jsp?login_error=true"/>
</bean>
<bean id="preAuthenticationProvider"
class="PreAuthenticatedAuthenticationProvider">
<property name="preAuthenticatedUserDetailsService" ref="lpreAuthenticatedUserDetailsService"/>
</bean>
<bean id="lpreAuthenticatedUserDetailsService" class="somepreauthenticateduserdetailsservice"/>
<bean id="myProfileAuthenticationProvider"
class="com.test.AuthenticationProvider">
<property name="serviceInvoker" ref="authenticationServiceInvoker" />
<property name="roleMapping">
<map>
<entry key="ABC_DQA" value="ROLE_DQA" />
<entry key="ABC_APS" value="ROLE_APS" />
<entry key="ABC_EDIT" value="ROLE_EDIT" />
<entry key="ABC_ADMINISTRATOR" value="ROLE_ADMIN" />
<entry key="ABC_GENERIC" value="ROLE_GENERIC" />
<entry key="ABC_DQA_EXPORT" value="ROLE_DQA_EXPORT" />
<entry key="ABC_FOH" value="ROLE_ABC_FOH" />
<entry key="ABC_TPC" value="ROLE_ABC_TPC" />
<entry key="ABC_VMT" value="ROLE_ABC_VMT" />
<entry key="ABC_SPEAR" value="ROLE_ABC_TEST" />
<entry key="ABC_LANDATA_GENERIC" value="ROLE_ABC_DATA_GENERIC" />
<entry key="ABC_LANDATA_ADMIN" value="ROLE_ABC_DATA_ADMIN" />
<entry key="ABC_OSGV" value="ROLE_ABC_OSGV" />
<entry key="ABC_Registered_Users" value="ROLE_ABC_REGISTERED_USER" />
<entry key="ABC_ADMINISTRATOR_ROLE" value="ROLE_ABC_ADMIN" />
<entry key="ABC_HISTORIAN_ROLE" value="ROLE_ABC_HCA" />
<entry key="ABC_PUBLIC_ROLE" value="ROLE_ABC_NAMES" />
<entry key="ABC_BOOKING_ADMIN" value="ROLE_EDM_BOOKING_ADMIN" />
</map>
</property>
</bean>
<bean id="accessDeniedHandler"
class="someaccessdeniedhandler">
<property name="errorPage" value="/login.jsp?access_denied=true"/>
</bean>
<bean id="authenticationServiceInvoker"
class="com.test.AuthenticationServiceInvoker" />
<bean id="sessionAuthenticationStrategy" class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
<constructor-arg name="sessionRegistry" ref="sessionRegistry"/>
<property name="maximumSessions" value="1"/>
</bean>
<bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl"/>
</beans>
public class CustomHttp403ForbiddenEntryPoint implements AuthenticationEntryPoint {
private static final Log logger = LogFactory.getLog(Http403ForbiddenEntryPoint.class);
/**
* Always returns a 403 error code to the client.
*/
public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException arg2) throws IOException,
ServletException {
if (logger.isDebugEnabled()) {
logger.debug("Pre-authenticated entry point called. Rejecting access");
}
HttpServletResponse httpResponse = (HttpServletResponse) response;
if (request.getUserPrincipal() == null && request.getContentType() != null && request.getContentType().toLowerCase().indexOf("multipart/form-data") > -1 ) {
returnJSSCript(request, response, "{\"sessionTimeout\":\"true\"}");
}
else {
httpResponse.sendError(HttpServletResponse.SC_FORBIDDEN, "Access Denied");
}
}
private void returnJSSCript(HttpServletRequest req, HttpServletResponse response, String msg){
response.setContentType("text/html");
try {
String eventName = "sessionTimeout";
PrintWriter out = response.getWriter();
out.println("<script type=\"text/javascript\">");
out.println("parent.fireEvent('" + eventName + "','" + msg + "');");
out.println("</script>");
}
catch (IOException e) {
e.printStackTrace();
}
}
}
Could you please let me know how we can redirect to a login page when the user's session has been expired without breaking the search functionality of allowing the anonymous user to still perform the search in Spring Security.
Cheers,
Tech XX

Just make the search url anon, and take it out to another http configuration, So it will not be filtered in your /** chain(<security:http entry-point-ref="http403ForbiddenEntryPoint">).
<security:http pattern="/general/search.json" security="none"/>

An Authentication object was not found in the SecurityContext in oauth2

I have a project which uses spring security oauth2 for secured connections.Below is my spring configuration file.
spring-security.xml :
<?xml version="1.0" encoding="UTF-8" ?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
xmlns:sec="http://www.springframework.org/schema/security" xmlns:mvc="http://www.springframework.org/schema/mvc"
xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd
http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-4.1.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.1.xsd ">
<!-- #author Nagesh.Chauhan(neel4soft#gmail.com) -->
<!-- This is default url to get a token from OAuth -->
<http pattern="/oauth/token" create-session="stateless"
authentication-manager-ref="clientAuthenticationManager"
xmlns="http://www.springframework.org/schema/security">
<intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_FULLY" />
<anonymous enabled="false" />
<http-basic entry-point-ref="clientAuthenticationEntryPoint" />
<!-- include this only if you need to authenticate clients via request
parameters -->
<custom-filter ref="clientCredentialsTokenEndpointFilter"
after="BASIC_AUTH_FILTER" />
<access-denied-handler ref="oauthAccessDeniedHandler" />
</http>
<!-- This is where we tells spring security what URL should be protected
and what roles have access to them -->
<http pattern="/protected/**" create-session="never"
entry-point-ref="oauthAuthenticationEntryPoint"
access-decision-manager-ref="accessDecisionManager"
xmlns="http://www.springframework.org/schema/security">
<anonymous enabled="false" />
<intercept-url pattern="/protected/**" access="ROLE_APP" />
<custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
<access-denied-handler ref="oauthAccessDeniedHandler" />
</http>
<bean id="oauthAuthenticationEntryPoint"
class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
<property name="realmName" value="test" />
</bean>
<bean id="clientAuthenticationEntryPoint"
class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
<property name="realmName" value="test/client" />
<property name="typeName" value="Basic" />
</bean>
<bean id="oauthAccessDeniedHandler"
class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler" />
<bean id="clientCredentialsTokenEndpointFilter"
class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter">
<property name="authenticationManager" ref="clientAuthenticationManager" />
</bean>
<bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased"
xmlns="http://www.springframework.org/schema/beans">
<constructor-arg>
<list>
<bean class="org.springframework.security.oauth2.provider.vote.ScopeVoter" />
<bean class="org.springframework.security.access.vote.RoleVoter" />
<bean class="org.springframework.security.access.vote.AuthenticatedVoter" />
</list>
</constructor-arg>
</bean>
<authentication-manager id="clientAuthenticationManager"
xmlns="http://www.springframework.org/schema/security">
<authentication-provider user-service-ref="clientDetailsUserService" />
</authentication-manager>
<!-- This is simple authentication manager, with a hardcoded user/password
combination. We can replace this with a user defined service to get few users
credentials from DB -->
<authentication-manager alias="authenticationManager"
xmlns="http://www.springframework.org/schema/security">
<authentication-provider>
<user-service>
<user name="user1" password="user1" authorities="ROLE_APP" />
</user-service>
</authentication-provider>
</authentication-manager>
<bean id="clientDetailsUserService"
class="org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService">
<constructor-arg ref="clientDetails" />
</bean>
<!-- This defined token store, we have used inmemory tokenstore for now
but this can be changed to a user defined one -->
<bean id="tokenStore"
class="org.springframework.security.oauth2.provider.token.store.InMemoryTokenStore" />
<!-- This is where we defined token based configurations, token validity
and other things -->
<bean id="tokenServices"
class="org.springframework.security.oauth2.provider.token.DefaultTokenServices">
<property name="tokenStore" ref="tokenStore" />
<property name="supportRefreshToken" value="true" />
<property name="accessTokenValiditySeconds" value="3600" />
<property name="refreshTokenValiditySeconds" value="5270400"></property>
<property name="clientDetailsService" ref="clientDetails" />
</bean>
<bean id="oAuth2RequestFactory"
class="org.springframework.security.oauth2.provider.request.DefaultOAuth2RequestFactory">
<constructor-arg ref="clientDetails"/>
</bean>
<bean id="userApprovalHandler"
class="org.springframework.security.oauth2.provider.approval.TokenStoreUserApprovalHandler">
<property name="tokenStore" ref="tokenStore" />
<property name="requestFactory" ref="oAuth2RequestFactory"/>
</bean>
<oauth:authorization-server
client-details-service-ref="clientDetails" token-services-ref="tokenServices"
user-approval-handler-ref="userApprovalHandler" authorization-endpoint-url="/protected" token-endpoint-url="/oauth/token">
<oauth:authorization-code />
<oauth:implicit />
<oauth:refresh-token />
<oauth:client-credentials />
<oauth:password />
</oauth:authorization-server>
<oauth:resource-server id="resourceServerFilter"
resource-id="test" token-services-ref="tokenServices" />
<oauth:client-details-service id="clientDetails">
<!-- client -->
<oauth:client client-id="client1"
authorized-grant-types="authorization_code,client_credentials"
authorities="ROLE_APP" scope="read,write,trust" secret="secret" />
<oauth:client client-id="client1"
authorized-grant-types="password,authorization_code,refresh_token,implicit"
secret="client1" authorities="ROLE_APP" />
</oauth:client-details-service>
<sec:global-method-security
pre-post-annotations="enabled" proxy-target-class="true">
<!--you could also wire in the expression handler up at the layer of the
http filters. See https://jira.springsource.org/browse/SEC-1452 -->
<sec:expression-handler ref="oauthExpressionHandler" />
</sec:global-method-security>
<oauth:expression-handler id="oauthExpressionHandler" />
<oauth:web-expression-handler id="oauthWebExpressionHandler" />
</beans>
When i request for oauth access token using the below request am getting the access and refresh token as below.
Request is
curl -X POST http://localhost:8080/SaveItMoneyOauth/oauth/token -H “Accept: application/json” -d "grant_type=password&client_id=client1&client_secret=client1&username=user1&password=user1&scope=read,write,trust"
Response is :
{"value":"4796a04a-2266-4184-a1be-e4248cea7ba8","expiration":"Jul 11, 2016 12:15:34 PM","tokenType":"bearer","refreshToken":{"expiration":"Sep 10, 2016 11:15:34 AM","value":"87509989-0ea9-4372-87aa-22290ae0c98e"},"scope":["read,write,trust"],"additionalInformation":{}}curl: (6) Could not resolve host: application
Then when i i requested for the protected resources using below request i am getting "An Authentication object was not found in the SecurityContext" as error.
Request is :
curl -H "access_token=4796a04a-2266-4184-a1be-e4248cea7ba8" "http://localhost:8080/SaveItMoneyOauth/protected/users/api"
I am using "2.0.7.RELEASE" as the oauth2 library.
How to solve this error.Please help me.

Your CURL command is wrong, you need to provide the access token in the Authorization header. Try this:
curl -H "Authorization: Bearer 4796a04a-2266-4184-a1be-e4248cea7ba8" "http://localhost:8080/SaveItMoneyOauth/protected/users/api"

spring security authentication from mysql database

I'm trying to make spring authenticate users from my mysql database.
It's working fine for users in memory.
I followed every tutorial about this and still isn't working, I don't understand why, since it requires a very basic config.
My applicationContext.xml:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<http security="none" pattern="/javax.faces.resource/**" />
<http security="none" pattern="/static/**"/>
<http auto-config="true" use-expressions="true"
access-denied-page="/public/login.xhtml">
<intercept-url pattern="/public/**" access="permitAll"/>
<intercept-url pattern="/secure/adm.xhtml" access="hasRole('ROLE_ADMIN')"/>
<intercept-url pattern="/secure/**" access="hasRole('ROLE_USER')"/>
<intercept-url pattern="/login.xhtml" access="permitAll"/>
<intercept-url pattern="/**" access="hasRole('ROLE_USER')"/>
<form-login login-page="/public/login.xhtml"
authentication-failure-url="/public/login.xhtml?erro=true"
default-target-url="/secure/secure.xhtml"
username-parameter="usuario"
password-parameter="senha"
/> <!--login-processing-url-->
<logout/>
<session-management invalid-session-url="/timeout.jsp">
<concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />
</session-management>
</http>
<beans:bean id="dataSource"
class="org.springframework.jdbc.datasource.DriverManagerDataSource" >
<beans:property name="url" value="jdbc:mysql://localhost:3306/gde" />
<beans:property name="driverClassName" value="com.mysql.jdbc.Driver" />
<beans:property name="username" value="root" />
<beans:property name="password" value="" />
</beans:bean>
<authentication-manager alias="authenticationManager">
<authentication-provider>
<user-service>
<user name="a" password="b" authorities="ROLE_USER"/>
<user name="b" password="a" authorities="ROLE_ADMIN"/>
</user-service>
<jdbc-user-service data-source-ref="dataSource"
users-by-username-query="SELECT USUARIO as username, SENHA as password, ISATIVO as enabled FROM usuario WHERE USUARIO=?"
authorities-by-username-query="SELECT USUARIO_USUARIO as username, AUTORIZACOES_TIPO as authority FROM usuario_tipo_usuario WHERE USUARIO_USUARIO=?"
/>
</authentication-provider>
</authentication-manager>
</beans:beans>
For a/b and b/a it authenticates just fine.

Officially answering: I just had to remove the in memory users and to get it working, although I don't really understand why.
Thank you, bluefoot and Luke Taylor.

Spring Security 3 Logout not working

I am new to spring security. I have created an example in spring security 3.
I am facing a problem. I am able to login successfully with the default login page, but when I logout, I am successfully redirected to my loggedout.jsp but when check with altering URL I see that I am still logged in.
The Spring security.xml:
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<http pattern="/loggedout.jsp" security="none" />
<http auto-config='true'>
<intercept-url pattern="/**" access="ROLE_USER" />
<logout logout-success-url="/loggedout.jsp" invalidate-session="true"
delete-cookies="JSESSIONID" />
<!-- <remember-me key="myAppKey" /> -->
<!-- <session-management invalid-session-url="/timeout.jsp">
<concurrency-control max-sessions="1"
error-if-maximum-exceeded="true" />
</session-management> -->
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="vrajesh" password="vrajesh"
authorities="ROLE_USER,ROLE_ADMIN" />
<user name="test" password="test"
authorities="ROLE_USER,ROLE_ADMIN" />
</user-service>
</authentication-provider>
</authentication-manager>
<!--
<http pattern="/loggedout.jsp" security="none"/>
<http use-expressions="true">
<intercept-url pattern="/**" access="ROLE_USER" />
<form-login />
<logout logout-success-url="/loggedout.jsp"
delete-cookies="JSESSIONID"/>
<remember-me />
<session-management invalid-session-url="/timeout.jsp">
<concurrency-control max-sessions="1"
error-if-maximum-exceeded="true" />
</session-management>
</http>
-->
</beans:beans>
This is my logout link on every page:
<p>Logout</p>
and this is my loggedout.jsp:
<p>
You have been logged out. Start again.
</p>
In my loggedout.jsp, if I click on the 'Start again' link it should display login page, but it does not. Instead I am logged in the application.
Please help me and let me know if I am missing anything.

Your logout link on every page should be:
<p>Logout</p>

I had problem when referencing j_spring_security_logout, so I did this:
1.- In spring-security.xml added to section:
<logout logout-url="/logout.html"/>
2.- In my controller I just have:
#RequestMapping(value = "logout.html", method = RequestMethod.GET)
public String logout(ModelMap model, HttpServletRequest request) {
return "loginform";
}
3.- In my .jsp:
<fmt:message key="text.exit" />
And it works flawlessly :)
You can check additional logout configurations here.

Spring Security 3.0.5 Session Expires Redirect

I'm trying to implement the configuration but it never redirects me to my login.html page, any ideas?
Security Config:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans
xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/util
http://www.springframework.org/schema/util/spring-util-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.0.xsd">
<context:annotation-config />
<context:component-scan base-package="dc" />
<global-method-security />
<http access-denied-page="/auth/denied.html">
<intercept-url filters="none" pattern="/javax.faces.resource/**" />
<intercept-url filters="none" pattern="/services/rest-api/1.0/**" />
<intercept-url filters="none" pattern="/preregistered/*"/>
<intercept-url
pattern="/**/*.xhtml"
access="ROLE_NONE_GETS_ACCESS" />
<intercept-url
pattern="/auth/*"
access="ROLE_ANONYMOUS,ROLE_USER"/>
<intercept-url
pattern="/preregistered/*"
access="ROLE_ANONYMOUS,ROLE_USER"/>
<intercept-url
pattern="/registered/*"
access="ROLE_USER"
requires-channel="http"/>
<form-login
login-processing-url="/j_spring_security_check.html"
login-page="/auth/login.html"
default-target-url="/registered/home.html"
authentication-failure-url="/auth/login.html" />
<logout invalidate-session="true"
logout-url="/auth/logout.html"
success-handler-ref="DCLogoutSuccessHandler"/>
<anonymous username="guest" granted-authority="ROLE_ANONYMOUS"/>
<custom-filter after="FORM_LOGIN_FILTER" ref="xmlAuthenticationFilter" />
<session-management session-fixation-protection="none"/>
</http>
<!-- Configure the authentication provider -->
<authentication-manager alias="am">
<authentication-provider user-service-ref="userManager">
<password-encoder ref="passwordEncoder" />
</authentication-provider>
<authentication-provider ref="xmlAuthenticationProvider" />
</authentication-manager>
</beans:beans>

I had a lot of problems due to
filters="none"
try
access="IS_AUTHENTICATED_ANONYMOUSLY"