Today I set out to provide accessible endpoints to a web application already behind Spring Security. My configuration locks down all requests going to the server (as will be shown below), and there is no easy way of adding an excludes parameter to the
DelegatingFilterProxy (see various questions on Stack Overflow).
My solution is actually pretty easy, just took a while to discern.
Spring Security Configuration
In my web.xml:
<!– Enables Spring Security –>
The solution lies in my security-context.xml:
<!– No security set for open URLs, must be declared before broader security –>
<security:http pattern="/unsecure/**" security="none"/>
<!– Restrict URLs based on role, in this
situation, all requests must be authenticated –>
<security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />
Adding the additional
pattern pointing to “/unsecure/**” means any request going to clearthehaze.com/myapp/unsecure/ has no security, but anything else going to clearthehaze.com/myapp will still require authentication.
Note: You must put this tag ahead of any broader patterns!