<http>to configure security in web application. Each
<http>can now configure separate filter chain for different request pattern. This is very useful when you have a web application that consist of standard web application and the API and you want API to be accessible only with basic authentication. To achieve that in Spring Security 3.1 you need to define security configuration as following:
Each time user accesses
/app/api/**url in browser he sees basic authentication login dialog. In case he accesses
/app/**he is redirected to the login form.
What is new
Except for multiple
<http> elements there some additional changes in above configuration
pattern attribute that represents the request URL pattern which will be mapped to the filter chain created by http element and security attribute that when set to 'none', requests matching the pattern attribute will be ignored by Spring Security.
create-session attribute has new possible value: stateless which implies that the application guarantees that it will not create a session.
password-parameter that is the name of the request parameter which contains the password and username-parameter - the name of username parameter.