Spring Security: how to exclude certain resources?

Question

I have the following definition...

    <bean id="fsi" class="org.springframework.security.intercept.web.FilterSecurityInterceptor">
    <property name="authenticationManager" ref="authenticationManager"/>
    <property name="accessDecisionManager" ref="httpRequestAccessDecisionManager"/>
    <property name="objectDefinitionSource">
      <sec:filter-invocation-definition-source >
            <sec:intercept-url pattern="/secure/css/**"        access="ROLE_TIER0"/>
            <sec:intercept-url pattern="/secure/images/**"     access="ROLE_TIER0"/>
            <sec:intercept-url pattern="/**"                   access="ROLE_TIER0"/>
      </sec:filter-invocation-definition-source>
    </property>
    </bean>

I'd like to have the resources on this url...

"/nonSecure/**"

Open to all calls, i.e. no security around it.

I've tried adding ...

<sec:intercept-url pattern="/nonsecure/**" access="permitAll" />

But this causes Websphere to throw an error about

Unsupported configuration attributes: [permitAll] 

Can anyone tell me how to exclude this URL from security?

Answer 1

In spring security 3.1.x the use of filters="none" is deprecated. Instead you use multiple <http> tags like this:

<http pattern="/nonsecure/**" security="none"/>

http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#ns-form-and-basic