Spring Security disregard my basic auth unless I specify access role

Using Spring 3.1.2 and RestEasy 2.3.4.

I've got some REST resources. However, I don't want to specify in Spring what roles are needed for all of them. This is my current setup:

<security:http auto-config="true" use-expressions="true">
<security:http-basic/>
<security:intercept-url pattern="/secrets/**" access="ROLE_USER"/>
<security:intercept-url pattern="/**"/>
</security:http>

Calls to '/secret/\*\*' gets authenticated and I can access the user and roles from the SecurityContextHolder-object. Calls to '/\*\*' however don't get authenticated even though I pass basic credentials. I want to authorise internally based on data being loaded and not by the URLs.

It seem that Spring Security disregard my basic auth unless I specify access. Is that correct? Is there any way around it?

Thanks
ThorÅge

You have to specify access rules to have authentication to be applied if you don't specify anything basically every requests matches. Simply specify an access rule as AUTHENTICATED_FULLY which will trigger the process and after that you can simply do the checks yourself.