We just recently upgraded from Spring Security version 3.0 to version 3.1. Our old

Question

0

Asked: May 28, 20262026-05-28T13:07:11+00:00 2026-05-28T13:07:11+00:00

We just recently upgraded from Spring Security version 3.0 to version 3.1. Our old

0

We just recently upgraded from Spring Security version 3.0 to version 3.1. Our old configuration file was apparently using a deprecated feature where you can disable security for <intercept-url> blocks within the <http> block using the ‘filter=”none”‘ option. Here’s a snippet from our old applicationContext-security.xml file:

<http ...>
    <intercept-url pattern="/resetPassword" filter="none" requires-channel="https" />
</http>

Spring Security 3.1 forces you to define additional <http> blocks to turn off security for certain URL patterns:

<http security="none" pattern="/resetPassword" />

Question: How do I force the HTTPS channel for this new <http> block?

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-28T13:07:12+00:00

Editorial Team

2026-05-28T13:07:12+00:00Added an answer on May 28, 2026 at 1:07 pm

The configuration you were using was not actually requiring https, because filters=”none” means that Spring Security should not pay attention to that request. Instead for both Spring Security 3 and 3.1 you should use something like:

  <http use-expressions="true" ...>
    <intercept-url pattern="/resetPassword" access="permitAll" requires-channel="https" />
  </http>

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

We just recently upgraded from Spring Security version 3.0 to version 3.1. Our old

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply