We Keep Coding

How to map a public URL using Spring

I need in my web 2 types of URLs, one with access restrictions and one without it.
This is the schema:
myApp:
myApp/*.do <-- Authorization required
myApp/public/* <-- No Authorization required
The (1) URLs works fine, but I don't know how to implement / configure spring for (2). This is my actual configuration of servlet-mapping:
Web.xml
<servlet>
<servlet-name>myApp</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>myApp</servlet-name>
<url-pattern>*.do</url-pattern>
</servlet-mapping>
And in context-security.xml I have the following for the public access:
<http pattern="/public/**" security="none"/>
I tried to add in Web.xml one more url-pattern with:
<url-pattern>/public/*</url-pattern>
But this doesn't work fine, I can access to all urls with authorization required without being logged using: myApp/public/xxx.do.
Should I create another servlet only for public URLs, or there is something more simple?
Edit:
My context-security.xml:
<?xml version="1.0" encoding="UTF-8"?>
<!--
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">
<!-- Debug -->
<!--
<debug />
-->
<global-method-security pre-post-annotations="enabled" />
<!-- No securizamos los recursos públicos -->
<http pattern="/public/**" security="none"/>
<http use-expressions="true" entry-point-ref="myAppAuthenticationEntryPoint">
<intercept-url pattern="/ProcessResponseServlet" access="permitAll" />
<intercept-url pattern="/CallAuthenticationServlet" access="permitAll" />
<intercept-url pattern="/ReturnAuthenticationServlet" access="permitAll" />
<intercept-url pattern="/login.jsp" access="permitAll" />
<intercept-url pattern="/logout" access="permitAll" />
<intercept-url pattern="/**" access="isAuthenticated()" />
<form-login
login-page="/login.jsp"
default-target-url="/index.jsp"
authentication-failure-url="/login.jsp?login_error"
/>
<logout logout-success-url="/login.jsp" delete-cookies="JSESSIONID"/>
<remember-me />
</http>
<!-- myApp authentication entry point -->
<beans:bean id="myAppAuthenticationEntryPoint"
class="com.home.myApp.webapp.security.myAppAuthenticationEntryPoint">
<beans:property name="loginFormUrl" value="/login.jsp" />
</beans:bean>
<!-- Autenticación de pruebas-->
<authentication-manager>
<authentication-provider ref="mockProvider">
</authentication-provider>
</authentication-manager>
<beans:bean id="mockProvider" class="com.home.myApp.webapp.security.MockAuthenticationProvider" >
</beans:bean>

You should use Spring security.
1. Add to your web.xml Filter for Spring Security (for example)
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/applicationContext.xml
/WEB-INF/dispatcher.xml
/WEB-INF/context-security.xml
</param-value>
</context-param>
Add to your context-security.xml
<http auto-config='true' use-expressions="true">
<intercept-url pattern="/public/**" access="permitAll"/>
<intercept-url pattern="/res/**" access="permitAll"/>
<intercept-url pattern="/*.do" access="isAuthenticated()"/>
</http>

Can't get active user list from spring security session

I want to get active user list from spring security. As I am new to spring security, I get some reference codes by googling, the following codes are to get user list..
#Autowired
#Qualifier("sessionRegistry")
private SessionRegistryImpl sessionRegistry;
#RequestMapping(value = "/authenticate", method = {RequestMethod.POST },consumes ="application/json",produces = "application/json")
public #ResponseBody LoginResponse authentication(#RequestBody User user, HttpServletRequest request) throws AuthenticationException {
String userName=user.getUsername();
String password=user.getPassword();
List<Object> principals = sessionRegistry.getAllPrincipals();
List<User> usersNamesList = new ArrayList<User>();
for (Object principal: principals) {
if (principal instanceof User) {
usersNamesList.add((User) principal);
}
}
Authentication authenticationToken = new UsernamePasswordAuthenticationToken(
userName, password);
Authentication authentication = authenticationManager
.authenticate(authenticationToken);
SecurityContext securityContext = SecurityContextHolder
.getContext();
securityContext.setAuthentication(authentication);
HttpSession session = request.getSession(true);
session.setAttribute("SPRING_SECURITY_CONTEXT", securityContext);
LoginResponse response = new LoginResponse("success", session.getId());
return response;
}
And here is my application-context.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
<!-- Get a basic Spring Security provided form based login infra -->
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/index" access="permitAll" />
<intercept-url pattern="/index.jsp" access="permitAll" />
<intercept-url pattern="/app/**" access="permitAll" />
<intercept-url pattern="/simplemessages/**" access="permitAll" />
<intercept-url pattern="/topic/**" access="permitAll" />
<intercept-url pattern="/topic/simplemessages" access="permitAll" />
<intercept-url pattern="/resources/**" access="permitAll" />
<intercept-url pattern="/login" access="permitAll" />
<intercept-url pattern="/loginPage" access="permitAll" />
<!-- Requests to secured pages need to be authenticated and authorized -->
<intercept-url pattern="/secured/*"
access="hasAnyRole('ROLE_ADMIN','ROLE_USER')" />
<!-- Define the security form login and logout pages/urls -->
<form-login login-processing-url="/login" login-page="/loginPage"
username-parameter="username" password-parameter="password"
default-target-url="/secured/basicWebsockets"
authentication-failure-url="/loginPage?auth=fail" />
<logout invalidate-session="true" logout-url="/logout"
logout-success-url="/logoutPage" />
<session-management session-fixation-protection="migrateSession" session-authentication-error-url="/login.html?authFailed=true">
<concurrency-control max-sessions="1" error-if-maximum-exceeded="true" expired-url="/login.html" session-registry-alias="sessionRegistry" session-authentication-strategy-ref="sas"/>
</session-management>
</http>
<authentication-manager alias="authenticationManager">
<authentication-provider>
<user-service>
<user name="john" password="doe" authorities="ROLE_USER" />
<user name="sunit" password="katkar" authorities="ROLE_USER" />
<user name="admin" password="admin" authorities="ROLE_USER,ROLE_ADMIN" />
</user-service>
</authentication-provider>
</authentication-manager>
Here is my web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:web="http://xmlns.jcp.org/xml/ns/javaee"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd http://xmlns.jcp.org/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
version="2.4">
<display-name>Spring Web MVC Application</display-name>
<servlet>
<servlet-name>mvc-dispatcher</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<async-supported>true</async-supported>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>mvc-dispatcher</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/mvc-dispatcher-servlet.xml</param-value>
</context-param>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<listener>
<listener-class>
org.springframework.security.web.session.HttpSessionEventPublisher
</listener-class>
</listener>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
Please help me, what's wrong with my codes or how to get active user list. I am very new to spring-security and java. Thanks for your time.

See if you have or need Session Authenticatin Strategy as below
<http>
<session-management session-authentication-strategy-ref="sas"/>
</http>
<beans:bean id="sas" class="org.springframework.security.web.authentication.session.CompositeSessionAuthenticationStrategy">
<beans:constructor-arg>
<beans:list>
<beans:bean class="org.springframework.security.web.authentication.session.ConcurrentSessionControlAuthenticationStrategy">
<beans:constructor-arg ref="sessionRegistry"/>
<beans:property name="maximumSessions" value="1" />
<beans:property name="exceptionIfMaximumExceeded" value="true" />
</beans:bean>
<beans:bean class="org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy">
</beans:bean>
<beans:bean class="org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy">
<beans:constructor-arg ref="sessionRegistry"/>
</beans:bean>
</beans:list>
</beans:constructor-arg>
</beans:bean>

Spring security default ignores j_spring_security_check

I'm tryinmg to reassemble my spring mvc application to use it with nginx server. Not just for serving static pages to. All was seem fine to me, but suddenly i faced problem, that default UsernamePasswordAuthenticationFilter that must check /j_spring_security_check url does nothing. Just passing that link through.
Here is my web.xml - as you can see - it's common;
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="3.0" xmlns="http://java.sun.com/xml/ns/javaee"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
<description>Web server of secure</description>
<!-- Start root service context -->
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
classpath:spring/service-context.xml
/WEB-INF/spring/servlet-context.xml
</param-value>
</context-param>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<!-- Setup servlet context-->
<servlet>
<servlet-name>dispatcherServlet</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/spring/servlet-context.xml</param-value>
</init-param>
<load-on-startup>0</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>dispatcherServlet</servlet-name>
<url-pattern>/api/*</url-pattern>
</servlet-mapping>
<!-- Setup spring security -->
<listener>
<listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
</listener>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
</web-app>
Here is my security-context and servlet-context that includes security
<?xml version="1.0" encoding="utf-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context" xmlns:tx="http://www.springframework.org/schema/tx"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">
<!--login-page="/api/account/login"-->
<description>Security layer</description>
<security:http auto-config="true" access-decision-manager-ref="accessDecisionManager" use-expressions="true"
authentication-manager-ref="daoBasedAuthManager">
<security:intercept-url pattern="/api/account/checklogin" access="isAnonymous()"/>
<security:intercept-url pattern="/api/account/login" access="isAnonymous()"/>
<security:intercept-url pattern="/api/account/register" access="isAnonymous()"/>
<security:intercept-url pattern="/api/account/toregister" access="isAnonymous()"/>
<security:intercept-url pattern="/api/account/tovalidateToken" access="isAnonymous()"/>
<security:intercept-url pattern="/api/account/validateToken" access="isAnonymous()"/>
<security:intercept-url pattern="/resources/**" access="permitAll"/>
<security:intercept-url pattern="/header.html" access="permitAll"/>
<security:intercept-url pattern="/footer.html" access="permitAll"/>
<security:intercept-url pattern="/favicon.ico" access="permitAll"/>
<security:intercept-url pattern="/**" access="hasRole('ROLE_USER')"/>
<security:form-login login-page="/api/account/login" authentication-success-handler-ref="authenticationSuccessHandler" />
</security:http>
<bean id ="authenticationSuccessHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler">
<property name="defaultTargetUrl" value="/api/account/home"/>
</bean>
<bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
<constructor-arg name="decisionVoters">
<list>
<bean class="org.springframework.security.web.access.expression.WebExpressionVoter"/>
<bean class="org.springframework.security.access.vote.RoleVoter">
<property name="rolePrefix" value="ROLE_"/>
</bean>
<!--<bean class="org.springframework.security.access.vote.AuthenticatedVoter"/>-->
</list>
</constructor-arg>
</bean>
<security:authentication-manager id="daoBasedAuthManager" erase-credentials="false" >
<security:authentication-provider ref="customAuthProvider"/>
</security:authentication-manager>
<bean id="userService" class="ua.secure.service.UserServiceImpl"/>
<bean id="customAuthProvider" class="ua.secure.service.CustomAuthenticationProvider">
<property name="userDetailsService" ref="userService"/>
</bean>
<security:authentication-manager id="predefinedAuthManager" >
<security:authentication-provider>
<security:user-service id="userDetailsService">
<security:user name="admin" password="admin" authorities="ROLE_USER, ROLE_ADMIN" />
<security:user name="user" password="user" authorities="ROLE_USER" />
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>
</beans>
servlet-context.xml
<?xml version="1.0" encoding="utf-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context" xmlns:tx="http://www.springframework.org/schema/tx"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx.xsd http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd">
<description>Web layer</description>
<import resource="security-context.xml"/>
<mvc:annotation-driven/>
<mvc:resources mapping="/resources/**" location="/resources/"/>
<context:component-scan base-package="ua.secure.web"/>
<bean class="org.springframework.web.servlet.view.XmlViewResolver">
<property name="location">
<value>/WEB-INF/layouts/layouts.xml</value>
</property>
</bean>
</beans>
And finally, my log, when im trying to login
LOG
This is log from my app, that lies on tomcat completely
LOG from working app
As you can see, UsernamePasswordAuthenticationFilter should react on j_spring_security_check
UPD
And this is my login form
<div id="loginform">
<form action="/SecurConfig/j_spring_security_check" method="post">
<div class="loginparamtext">email:</div>
<input class="text" type="text" name="j_username" id="j_username"/>
<div class="loginparamtext">password:</div>
<input class="text" type="password" name="j_password" id="j_password"/>
<div class="loginparamtext">Remember me
<input style="width:50px;" type='checkbox' name='_spring_security_remember_me'/>
</div>
<button type="submit">Login</button>
</form>
</div>
UPD
I changed form action="/SecurConfig/j_spring_security_check" to just
form action="/j_spring_security_check"
and in began top work;

Access denied on the index.jsp due to spring security

This issue is related to spring security. Whenever I run my application on tomcat by default index.jsp opens but now i am getting access denied on this page.
From index.jsp i am redirecting the page to login.jsp, but since I am getting access denied on this page, redirection is not happening. What i meant to say is if hit: "localhost:8080/abc" I am getting access denied but if I hit "localhost:8080/abc/login" the page opens. (just to be clear, abc is the application context)
I am pretty much sure i have messed up somewhere in the spring security config, because it was working fine before.
Below are my files:
This is my spring-security.xml
<sec:global-method-security pre-post-annotations="enabled"/>
<!--
Add white listed urls here.
Please note that the filter chain will not be applied and the security context not populated.
Use for static resource mostly
-->
<http pattern="/resources/**" security="none" />
<http pattern="/login" security="none" />
<http pattern="/login1" security="none" />
<http pattern="/googleLogin" security="none" />
<!-- Add protected resource here -->
<http use-expressions="true" entry-point-ref="forbiddenEntryPoint">
<custom-filter position="PRE_AUTH_FILTER" ref="oauth2PreAuthFilter" />
<intercept-url pattern="/menu" access="hasAnyRole('ROLE_USER')" />
<intercept-url pattern="/request/**" access="hasAnyRole('ROLE_USER')" />
<intercept-url pattern="/device/**" access="hasAnyRole('ROLE_USER')" />
<intercept-url pattern="/**" access="hasRole('ROLE_ADMIN')" />
</http>
<authentication-manager alias="authenticationManager">
<authentication-provider ref="AuthenticationService" />
</authentication-manager>
<beans:bean id="forbiddenEntryPoint" class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint"/>
<beans:bean id="AuthenticationService" class="com.hitesh.security.AuthenticateUserService"/>
<beans:bean id="oauth2PreAuthFilter" class="com.hitesh.security.OAuth2PreAuthenticationFilter">
<beans:property name="authenticationManager" ref="authenticationManager"/>
</beans:bean>
<beans:bean id="preAuthAuthProvider" class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
<beans:property name="preAuthenticatedUserDetailsService" ref="preAuthenticatedUserDetailsService"/>
</beans:bean>
<beans:bean id="preAuthenticatedUserDetailsService" class="com.hitesh.security.Oauth2PreAuthenticatedUserService"/>
This is my web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
version="2.5">
<display-name>Inventory Project</display-name>
<servlet>
<servlet-name>mvc-dispatcher</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>mvc-dispatcher</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:/abc/application.xml,
classpath:/abc/spring-security.xml
</param-value>
</context-param>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
</web-app>
I am stuck on this for quite a time, any help will be really appreciated.
Update: On application startup, my code is going into the oauth2PreAuthFilter. For index.jsp, it shouldn't run this filter. Is there a way to avoid this, i have tried
<http pattern="/index" security="none" />
but this didn't helped.

Try this (use your values):
<http use-expressions="true" entry-point-ref="forbiddenEntryPoint">
<custom-filter position="PRE_AUTH_FILTER" ref="oauth2PreAuthFilter" />
<intercept-url pattern="/menu" access="hasAnyRole('ROLE_USER')" />
<intercept-url pattern="/request/**" access="hasAnyRole('ROLE_USER')" />
<intercept-url pattern="/device/**" access="hasAnyRole('ROLE_USER')" />
<intercept-url pattern="/**" access="hasRole('ROLE_ADMIN')" />
<form-login login-page='/login.htm' default-target-url="/home.htm"/>
</http>

Got the fix:
<http auto-config="true" pattern="/index.jsp" />

How use Spring Security 3 on Struts 2?

I have read a lot of tutorials about using Spring Security 3 on Struts 2. But I can't make it work :/.
I can't find a "Dummy step by step guide" about implement this framework on Struts 2.
Here is what I have:
web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
<filter>
<filter-name>struts2</filter-name>
<filter-class>org.apache.struts2.dispatcher.FilterDispatcher</filter-class>
</filter>
<filter-mapping>
<filter-name>struts2</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<listener>
<listener-class>
org.springframework.web.context.ContextLoaderListener
</listener-class>
</listener>
<display-name>cv</display-name>
<session-config>
<session-timeout>
30
</session-timeout>
</session-config>
<welcome-file-list>
<welcome-file>example/HelloWorld.jsp</welcome-file>
</welcome-file-list>
</web-app>
security.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context/spring-context-2.5.xsd"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
http://www.springframework.org/schema/context/spring-context-2.5.xsd http://www.springframework.org/schema/context/spring-context-2.5.xsd/spring-spring-context-2.5.xsd-3.1.1.RELEASE.xsd
">
<?xml version="1.0" encoding="UTF-8"?>
<b:beans xmlns="http://www.springframework.org/schema/security"
xmlns:b="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.xsd">
<http realm="Project Realm" auto-config="true" use-expressions="true">
<intercept-url pattern="/auth/**" filters="none"/>
<intercept-url pattern="/**" access="hasAnyRole('ROLE_ADMIN','ROLE_USER')"/>
<form-login login-page="/auth/login.jsp" authentication-failure-url="/auth/login.jsp?login_error=1"/>
<logout logout-success-url="/auth/login.jsp"/>
<remember-me />
</http>
<http>
<intercept-url pattern="/login*" filters="none" />
<intercept-url pattern="/css/**" filters="none" />
<intercept-url pattern="/img/**" filters="none" />
<intercept-url pattern="/search.action*" access="ROLE_ADMIN" /><!-- Never reach -->
<intercept-url pattern="/user/**" access="ROLE_ADMIN" /><!-- Never reach -->
<intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<form-login login-page="/login.action" />
<logout logout-url="/logout.action" />
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="admin" password="admin" authorities="ROLE_ADMIN"/>
<user name="customer" password="customer" authorities="ROLE_USER"/>
</user-service>
</authentication-provider>
</authentication-manager>
</b:beans>
</beans>
And my HelloWorld.jsp
<body>
<h1>Welcome!</h1><br />
<sec:authorize access="isAnonymous()">
This session will be visible to an admin only.<br/>
You are an Administrator.<br/>
</sec:authorize>
<sec:authorize access="hasRole('ROLE_USER')">
This session will be visible to an Customer only.<br/>
You are an Customer.<br/>
</sec:authorize>
${HelloMessage}<br />
Logout
</body>
I want to test how the privileges works using the tag "isAnonymous" showing that block of text, but I can't make it work
:(

You need to add Spring Security's filter chain to the web.xml.
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
This goes after your Struts filter. This will allow Spring Security to check/block the request prior to Struts being handed the request.
Assuming the user is allowed to access the content Spring Security will set up a SecurityContext object that will make allow the JSP tags work.