The SpringSecurity reference does not explain how the <intercept-url> elements are mapped to filters. Fore example:
- It should describe the significance the order of these elements.
- It should mention that an element with a "method='...'" takes precedence over any element with out this attribute.
- It should mention that the "filter='none'" causes all other attributes to be silently ignored ... including "requires-channel".
- It should say whether "access='ROLE_A,ROLE_B'" means "ROLE_A or ROLE_B" or "ROLE_A and ROLE_B".
- It should explain why "access='' requires_channel='https'" does not work.
- It should document "ROLE_ANONYMOUS" and "IS_AUTHENTICATED_ANONYMOUSLY", what they (respectively) mean, where/how they should be used.