Resolution: Won't Fix
Affects Version/s: 3.0.0, 3.0.1, 3.0.2
Fix Version/s: 3.1.0.M1
However, debugging reveals that the Spring Security filters are being applied to these requests anyway. Here is my configuration:
<http entry-point-ref="entryPoint" create-session="never"
<!-- Ignore any other requests -->
<intercept-url pattern="/**" filters="none" />
<!-- Do not cache requests -->
<request-cache ref="requestCache" />
<!-- RememberMe enables cookie-based, session-less authentication -->
" services-ref="rememberMeServices" />
On further investigation, it appears that the "universal matcher" added by the HttpSecurityBeanDefinitionParser around line 138 is clobbering the "/**" pattern I had defined.
Additionally, the FilterInvocationSecurityMetadataSourceParser on line 112 appears to skip "intercept-url" elements with no "access" attribute defined. Unless I misunderstand what's happening, that seems counter to the documentation as described in section 2.2 and Appendix B.1 (page 115).
Is this a defect or by design? Can we clarify this awkward behavior? Perhaps if my use case is better handled through another configuration. In that case, could an explanation be added to the documentation regarding the "universal matcher" that the namespace configures?