Spring security provides greater flexibility and ease in terms of securing your web application.Recently i found that a particular url was not working in spring security[whereas other urls were working perfectly]. it completely bypassing the url although it was defined in the same way as other urls .
Here is my spring security configuration all urls are secured except /TestServlet
<security:http auto-config="true">
<security:logout logout-success-url="/login" invalidate-session="true" logout-url="/logout"/>
<security:intercept-url pattern="/login.jsp" filters="none" />
<security:intercept-url pattern="/login" filters="none" />
<security:intercept-url pattern="/logout" filters="none" />
<security:intercept-url pattern="/TestServlet" access="ROLE_ADMIN" />
<security:form-login login-page="/login"
default-target-url="/home" authentication-failure-url="/login?error=1"
always-use-default-target="true"/>
</security:http>
Later , i found out that spring security filter converts the matching url pattern[which we define in intercept-url pattern tag] to lower case , so if you have camel case or upper case url pattern(one or more capital letters in url pattern), it will not match with the spring security pattern , thus this pattern will be ignored by spring security filter. There is a tag available to disable this converting of matching url pattern to lower case.
just add
lowercase-comparisons attribute to false in http tag in spring security like this :
<security:http auto-config="true" lowercase-comparisons="false">
<security:logout logout-success-url="/login" invalidate-session="true" logout-url="/logout"/>
<security:intercept-url pattern="/login.jsp" filters="none" />
<security:intercept-url pattern="/login" filters="none" />
<security:intercept-url pattern="/logout" filters="none" />
<security:intercept-url pattern="/TestServlet" access="ROLE_ADMIN" />
<security:form-login login-page="/login"
default-target-url="/home" authentication-failure-url="/login?error=1"
always-use-default-target="true"/>
</security:http>