Spring Security disregard my basic auth unless I specify access role
Using Spring 3.1.2 and RestEasy 2.3.4.
I've got some REST resources. However, I don't want to specify in Spring what roles are needed for all of them. This is my current setup:
<security:http auto-config="true" use-expressions="true">
<security:intercept-url pattern="/secrets/**" access="ROLE_USER"/>
Calls to '/secret/\*\*' gets authenticated and I can access the user and roles from the SecurityContextHolder-object. Calls to '/\*\*' however don't get authenticated even though I pass basic credentials. I want to authorise internally based on data being loaded and not by the URLs.
It seem that Spring Security disregard my basic auth unless I specify access. Is that correct? Is there any way around it?