Spring security provides greater flexibility and ease in terms of securing your web application.Recently i found that a particular url was not working in spring security[whereas other urls were working perfectly]. it completely bypassing the url although it was defined in the same way as other urls .
Here is my spring security configuration all urls are secured except /TestServlet
<security:http auto-config="true"> <security:logout logout-success-url="/login" invalidate-session="true" logout-url="/logout"/> <security:intercept-url pattern="/login.jsp" filters="none" /> <security:intercept-url pattern="/login" filters="none" /> <security:intercept-url pattern="/logout" filters="none" /> <security:intercept-url pattern="/TestServlet" access="ROLE_ADMIN" /> <security:form-login login-page="/login" default-target-url="/home" authentication-failure-url="/login?error=1" always-use-default-target="true"/> </security:http>Later , i found out that spring security filter converts the matching url pattern[which we define in intercept-url pattern tag] to lower case , so if you have camel case or upper case url pattern(one or more capital letters in url pattern), it will not match with the spring security pattern , thus this pattern will be ignored by spring security filter. There is a tag available to disable this converting of matching url pattern to lower case. just add lowercase-comparisons attribute to false in http tag in spring security like this :
<security:http auto-config="true" lowercase-comparisons="false"> <security:logout logout-success-url="/login" invalidate-session="true" logout-url="/logout"/> <security:intercept-url pattern="/login.jsp" filters="none" /> <security:intercept-url pattern="/login" filters="none" /> <security:intercept-url pattern="/logout" filters="none" /> <security:intercept-url pattern="/TestServlet" access="ROLE_ADMIN" /> <security:form-login login-page="/login" default-target-url="/home" authentication-failure-url="/login?error=1" always-use-default-target="true"/> </security:http>