Spring Security authentication for a REST API

Question

At the moment a basic REST API has 3 URL's (not actual URL's)

1. http://localhost:8080/app
2. http://localhost:8080/app/home
3. http://localhost:8080/app/product

Currently all three URL's have basic authentication using Spring Security using XML.

However, I would like to remove the basic authentication for URL 1.

I have unsuccessfully tried the following the following approaches (reduced XML)

<http>
    <intercept-url pattern="/app/" access="IS_AUTHENTICATED_ANONYMOUSLY" />
    <intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY"/>
    <http-basic/>
</http>

vs

<http>
    <intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY"/>
    <intercept-url pattern="/app/" access="IS_AUTHENTICATED_ANONYMOUSLY" />
    <http-basic/>
</http>

Is there something I'm missing in my configuration or there is another way to achieve this using Spring Security ?

Answer 1

Shouldn't you be doing something like this:

<http>
    <intercept-url pattern="/app/**" access="IS_AUTHENTICATED_FULLY"/>
    <intercept-url pattern="/app/" access="IS_AUTHENTICATED_ANONYMOUSLY" />
    <http-basic/>
</http>

Answer 2

If you set the context path of your server to 'app' so all the paths in your application will be localhost:8080/app/** .

If you want to allow everyone to access all the paths in the application and only for authenticated users to access /home and /product you should do this:

<http>
 <intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
 <intercept-url pattern="/home" access="IS_AUTHENTICATED_FULLY" />
 <intercept-url pattern="/product" access="IS_AUTHENTICATED_FULLY" />
 <http-basic/>
</http>

This way everyone will get to localhost:8080/app but only IS_AUTHENTICATED_FULLY users will access to /home & /product .