How can I disable spring form based login for RESTful endpoints?

Question

I have spring-security configured using basic and form based authentication as per auto-config=\'true\'.

I would like the endpoints under /api/**<

Answer 1

With Spring Security 3.1, your best option is to split the restful and non-restful parts of your application into separate filter chains by using two separate <http> elements. The restful API chain can then be configured to be stateless and use basic authentication, while the default chain can use a normal form-login configuration.

You would then have something like:

<http pattern="/api/**" create-session="stateless">
    <intercept-url pattern="/api/**" access="ROLE_API_USER" />
    <http-basic />        
</http>

<!-- No pattern attribute, so defaults to matching any request -->
<http>
    <intercept-url pattern="/**" access="ROLE_USER" />
    <form-login />        
</http>

The chain definitions must be ordered from most specific pattern to most general, so the default chain comes last.