Spring Security disregard my basic auth unless I specify access role

[thoraage]

Using Spring 3.1.2 and RestEasy 2.3.4.

I've got some REST resources. However, I don't want to specify in Spring what roles are needed for all of them. This is my current setup:

<security:http auto-config="true" use-expressions="true">
<security:http-basic/>
<security:intercept-url pattern="/secrets/**" access="ROLE_USER"/>
<security:intercept-url pattern="/**"/>
</security:http>

Calls to '/secret/\*\*' gets authenticated and I can access the user and roles from the SecurityContextHolder-object. Calls to '/\*\*' however don't get authenticated even though I pass basic credentials. I want to authorise internally based on data being loaded and not by the URLs.

It seem that Spring Security disregard my basic auth unless I specify access. Is that correct? Is there any way around it?

Thanks
ThorÅge

[Marten Deinum]

You have to specify access rules to have authentication to be applied if you don't specify anything basically every requests matches. Simply specify an access rule as AUTHENTICATED_FULLY which will trigger the process and after that you can simply do the checks yourself.