Process static resource with spring security

Question

Hello I need to have static resources that are processed with Spring Security and I want still keep it static in meaning of it's not processed with DispatcherServlet. I have one folder reserved for non-secured resources and one folder for secured resources. I can't get this work until I exclude /res/secured from resource handler. But if I do this secured resources are processed with DispatcherServlet which I think is not right (maybe I'm wrong? -> post explanation or link).

My configuration:

/*--- Directories structure ---*/
res
|-- nonsecured
|-- secured
/*--- /Directories structure ---*/

/*--- WebApplicationInitializer ---*/
Dynamic portalSecurityFilter = servletContext.addFilter("portalSecurityFilter", new PortalSecurityFilter());
portalSecurityFilter.addMappingForUrlPatterns(EnumSet.allOf(DispatcherType.class), false, "/*");

// Spring Security filtr
Dynamic securityFilter = servletContext.addFilter("springSecurityFilterChain", DelegatingFilterProxy.class);
securityFilter.addMappingForUrlPatterns(EnumSet.allOf(DispatcherType.class), false, "/*");

CharacterEncodingFilter characterEncodingFilter = new CharacterEncodingFilter();
characterEncodingFilter.setEncoding("UTF-8");

Dynamic dynamicCharacterEncodingFilter = servletContext.addFilter("characterEncodingFilter", characterEncodingFilter);
dynamicCharacterEncodingFilter.addMappingForUrlPatterns(EnumSet.allOf(DispatcherType.class), false, "/*");

Dynamic ajaxFilter = servletContext.addFilter("ajaxFilter", new AjaxFilter());
ajaxFilter.addMappingForUrlPatterns(EnumSet.allOf(DispatcherType.class), false, "/*");

// Root context
AnnotationConfigWebApplicationContext rootContext = new AnnotationConfigWebApplicationContext();
rootContext.register(WebConfig.class);

// Dispatcher servlet
ServletRegistration.Dynamic dispatcherServlet = servletContext.addServlet("dispatcherServlet", new DispatcherServlet(rootContext));
dispatcherServlet.setLoadOnStartup(1);
dispatcherServlet.addMapping("/");

servletContext.addListener(new ContextLoaderListener(rootContext));
/*--- /WebApplicationInitializer ---*/

/*--- Web configuration part ---*/
@Override
public void addResourceHandlers(ResourceHandlerRegistry registry) {
    super.addResourceHandlers(registry);
    registry.addResourceHandler("/res/**").addResourceLocations("/WEB-INF/res/");
}
/*--- /Web configuration part ---*/

/*--- Spring Security confogiration part ---*/
<http pattern="/res/unsecured/**" security="none" />

<http pattern="/**" use-expressions="true" authentication-manager-ref="myAuthenticationManager">

    <intercept-url pattern="/res/secured/**" access="hasRole('ROLE_USER_AUTHENTICATED')" />
    <intercept-url pattern="/**" access="permitAll" />
</http>
/*--- /Spring Security confogiration part ---*/

Thanks for your answers.

EDIT

As I playing around it seems to me that <http pattern="/res/unsecured/**" security="none" /> part in security configuration is pointless because resources served by resource handler don't go through Spring Security filter chain. Am I missing something or is my configuration wrong?

Answer 1

I have to admin that this is my shame. Spring Security works as expected and above configuration works well. My problem was that browser cached static resources (namely PDF file) and I just didn't notice it. If you experience same problem try to make hard refresh before you will spend time on searching for problems :)