From dfbc938e99dd21c16f4a107b4065a6dfbea09dfe Mon Sep 17 00:00:00 2001 From: Luke Taylor Date: Mon, 6 Jun 2011 12:37:52 +0100 Subject: [PATCH] Added note in namespace docs on mismatch between using filters="none" and other attributes. --- docs/manual/src/docbook/namespace-config.xml | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/docs/manual/src/docbook/namespace-config.xml b/docs/manual/src/docbook/namespace-config.xml index fd8330b859..d3b5c30bf1 100644 --- a/docs/manual/src/docbook/namespace-config.xml +++ b/docs/manual/src/docbook/namespace-config.xml @@ -259,7 +259,22 @@ attributes such as requires-channel, so you will not be able to access information on the current user or call secured methods during the request. Use access='IS_AUTHENTICATED_ANONYMOUSLY' as an alternative if you still - want the security filter chain to be applied. + want the security filter chain to be applied. + + Using filters="none" operates by creating an empty filter + chain in Spring Security's FilterChainProxy, whereas + the access attributes are used to configure the + FilterSecurityInterceptor in the single filter chain + which is created by the namespace configuration. The two are applied + independently, so if you have an access contraint for a sub-pattern of a + pattern which has a filters="none" attribute, the access + constraint will be ignored, even if it is listed first. It isn't possible to + apply a filters="none" attribute to the pattern + /** since this is used by the namespace filter chain. In + version 3.1 things are more flexible. You can define multiple filter chains + and the filters attribute is no longer supported. + + If you want to use basic authentication instead of form login, then change the configuration to