I have a controller that has many actions and it specifies a default class-level @PreAuthorize annotation, but one of the actions I want to let anyone in (the "show" action).

@RequestMapping("/show/{pressReleaseId}")
@PreAuthorize("permitAll")
public ModelAndView show(@PathVariable long pressReleaseId) {
    ModelAndView modelAndView = new ModelAndView(view("show"));

    modelAndView.addObject("pressRelease",
        sysAdminService.findPressRelease(pressReleaseId));

    return modelAndView;
}

Unfortunately, Spring Security throws this exception:

org.springframework.security.authentication.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext
    at org.springframework.security.access.intercept.AbstractSecurityInterceptor.credentialsNotFound(AbstractSecurityInterceptor.java:321)
    at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:195)
    at org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:64)

How can I get Spring Security to NOT throw this exception? I just want to let anyone in - non-authenticated users and authenticated users - Everyone.

My only solution is to put this method into another controller altogether with no @PreAuthorize at all... which will work, but that's stupid. I want to keep all my press release actions in the same controller.

Thanks for the help!

The normal way to allow anyone to access a controller method is to not annotate it with any Spring Security annotations; ie no @PreAuthorize no @Secured etc.

You should be able to simply remove @PreAuthorize from the show() method, any leave the annotation on the other methods in that controller. The other methods will remain secured regardless of what you do with the show() method.

I guess you don't have anonymouse authentication filter enabled.

If you use namespace configuration and auto-config = "true", it should be enabled by default. If you don't use auto-config, you can enable anonymous filter as <security:anonymous />.

The default changed with a newer version (version 2) of the spring security plugin. That means all controllers are secured by default (you need to login to see them). Removing @Secured will not work at all, it will still stay secured. You can change this default behaviour, but to me the new default behaviour makes sense because it is much more secure. And security is very important.

I only use

@Secured(['permitAll'])

for my controller, but it should also work for a method.