Bypass Spring Security Filter for URL

Question

I modified my applicationContext-security-preauth.xml with the goal of removing filters from a particular URL.

I'm having trouble with the spring-security-oauth filter, so I want to temporarily avoid using this filter for particular requests.

<intercept-url pattern="/notsecure/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>

After building and copying the new JAR, and then refreshing Tomcat, my /notsecure/ HTTP requests still hit this filter, according to my logs.

I would not have expected for any filter to be hit given my configuration change.

EDIT: I'm using Spring Security 2

Answer 1

If you want to avoid hitting any filters for that URL you will need an additional <http> element like this:

<security:http pattern="/notsecure/**" security="none"/>

(This will work only with Spring Security 3.1+)

IS_AUTHENTICATED_ANONYMOUSLY requires that the request is anonymously authenticated which is done by a filter (namely the AnonymousAuthenticationFilter).