intercept-url pattern /** causing 404 error

Question

I have searched here, google and springsource for this and could not find a solution that worked for me. I have the below spring-security.xml and when I use the pattern

Answer 1

The config looks fine to me. Could it be that the /login page is actually not there? The second config (with /index*) might have only worked, because then the request you made wasn't intercepted, and consequently didn't get redericted to the non-existent /login page. If it was a problem with the config, Spring Security would respond with 403 not 404.

Double-check without any Spring Security configured if the /login url works.

Answer 2

Adds an AnonymousAuthenticationFilter to the stack and an AnonymousAuthenticationProvider. Required if you are using the IS_AUTHENTICATED_ANONYMOUSLY attribute. spring secuirty

or use isAnonymous() instead.

Answer 3

For completeness, here's the real reason this requires a change to isAnonymous().

The <http> element has an attribute use-expressions which defaults to true. In the default situation, you are required then to use "security expressions" instead of role names. If you wish to use only role names in access= declarations, you need to turn off expressions with

<http use-expressions="false"> ... </http>

Answer 4

Change this <intercept-url pattern="/login" filters="none" access="permitAll" />

to

<intercept-url pattern="/login" access="IS_AUTHENTICATED_ANONYMOUSLY" />