Today I set out to provide accessible endpoints to a web application already behind Spring Security. My configuration locks down all requests going to the server (as will be shown below), and there is no easy way of adding an excludes parameter to the DelegatingFilterProxy (see various questions on Stack Overflow).
My solution is actually pretty easy, just took a while to discern.
Spring Security Configuration
In my web.xml:
[code lang=”xml”]
<!– Enables Spring Security –>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
[/code]
The solution lies in my security-context.xml:
[code lang=”xml”]
<!– No security set for open URLs, must be declared before broader security –>
<security:http pattern="/unsecure/**" security="none"/>
<security:http auto-config="true">
<!– Restrict URLs based on role, in this
situation, all requests must be authenticated –>
<security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />
</security:http>
[/code]
Adding the additional pattern pointing to “/unsecure/**” means any request going to clearthehaze.com/myapp/unsecure/ has no security, but anything else going to clearthehaze.com/myapp will still require authentication.
Note: You must put this tag ahead of any broader patterns!