Johannes Scharf (Migrated from SEC-1620) said:
The reference doc of the "filters" attribute from the element says, that the value "none" excludes the matched request from Spring Security's filter chain entirely.
I think that's not true as the element only configures the FilterInvocationSecurityMetadataSource which is used by the FilterSecurityInterceptor and NOT by the FilterChainProxy.
Therefore setting the filters attribute to "none" does not exclude the request from the Spring Security filter chain entirely, right?
This issue may also affect the reference doc of Spring Security 2.0.
Luke Taylor said:
The docs are correct.
Note also that this syntax is no longer supported in 3.1.
Johannes Scharf said:
Sorry, there was a problem with our configuration which caused me to think that filters="none" would not exclude the request from the filter chain.