When using Spring Security you map a chain of filters to URL patters to specify how those URLs are secured. These patterns can contain wildcards such as
/foo/*/bar /foo/**/barI couldn't find any docs for these wildcards, but my guess is that the first pattern would match
/foo/baz/barbut not
/foo/baz/baz/barwhereas the second pattern ( /foo/**/bar ) would match both of these
maybe this code will help:
<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:security="http://www.springframework.org/schema/security" xmlns:p="http://www.springframework.org/schema/p" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd"> <security:http auto-config="true"> <security:intercept-url pattern="/login.do" access="IS_AUTHENTICATED_ANONYMOUSLY" /> <security:intercept-url pattern="/logout.do" access="IS_AUTHENTICATED_ANONYMOUSLY" /> <security:intercept-url pattern="/fail2login.do" access="IS_AUTHENTICATED_ANONYMOUSLY" /> <security:intercept-url pattern="/json/*.do" access="IS_AUTHENTICATED_ANONYMOUSLY" /> <security:intercept-url pattern="/*" access="ROLE_ADMIN" /> <security:form-login login-page="/login.do" default-target-url="/home.do" authentication-failure-url="/fail2login.do" /> <security:session-management> <security:concurrency-control max-sessions="1" /> </security:session-management> <security:logout logout-success-url="/logout.do" delete-cookies="JSESSIONID" invalidate-session="true" /> </security:http> <security:authentication-manager> <security:authentication-provider> <security:jdbc-user-service data-source-ref="dataSource" users-by-username-query="select userName, password, status from User where userName=?" authorities-by-username-query="select us.userName, ur.userRoleName from User us, UserRole ur where ur.userName =? " /> </security:authentication-provider> </security:authentication-manager> </beans>