we have application implemented spring security 3.20 , cas 3.5. working fine expect anonymous portion. if has logged cas, them show in application logged in username, instead show anonymoususer. on pages allow both anonymous or logged in user. if explicitly go page requiring role, sso on kicks in , show whatever logged in user is. need configure show logged in user without forcing them go secure page (or way)?
our configuration follows:
<http auto-config="true" entry-point-ref="casentrypoint" use-expressions="true"> <intercept-url pattern="/canary.html" access="permitall" /> <intercept-url pattern="/test.html" access="hasrole('adm')" /> <intercept-url pattern="/testanon.html" access="hasrole('sec') or isanonymous()" /> <intercept-url pattern="/policyselect.html" access="hasrole('adm')" /> <intercept-url pattern="/**" access="hasrole('sec') or isanonymous()" /> <custom-filter position="cas_filter" ref="casfilter" /> <logout logout-success-url="/cas-logout.jsp"/> <custom-filter ref="requestsinglelogoutfilter" before="logout_filter"/> <custom-filter ref="singlelogoutfilter" before="cas_filter"/> <access-denied-handler error-page="/web-inf/jsp/403.jsp"/> </http> if logged cas , goes testanon.html, still show , anonymous until go page test.html requires role of adm. after logged in , stay way on pages.
