Resolution: Won't Fix
Affects Version/s: 3.0.2
Fix Version/s: 3.1.0.M1
I came across this code in HttpConfigurationBuilder:
BeanDefinitionBuilder metadataSourceBldr = BeanDefinitionBuilder.rootBeanDefinition(DefaultFilterInvocationSecurityMetadataSource.class);
metadataSourceBldr.addPropertyValue("stripQueryStringFromUrls", matcher instanceof AntUrlPathMatcher);
Similar code appears in FilterInvocationSecurityMetadataSourceParser.
As far as I can make out, this means that if you use "path-type=ant" in your <http> element, then query parts will be stripped from URLs before matching them in the interceptor filter, but with "path-type=regex" the matching is done with URL query parts intact.
I don't understand see the rationale for this behaviour. I don't know if it is a bug, or it is a unexpected feature that should be properly documented.
(And as an aside, I would not that Appendix B 1.1 does not give the allowed values for path-type. You have to search the manual for the related examples to find what they are.)