Spring Security oddity in <intercept-url> when specifying method

Question

I've been playing around with Spring Security a bit and noticed the following oddity.

When I specify the <http> block like this in my security context XML.

<http>
    <http-basic/>

    <port-mappings>
        <port-mapping http="8080" https="8181"/>
    </port-mappings>

    <intercept-url pattern="/url1**" access="ROLE_ROLE1" requires-channel="https"/>
    <intercept-url pattern="/url2**" access="ROLE_ROLE2"/>
    <intercept-url pattern="/url3**" access="ROLE_ROLE3" />
    <!-- <intercept-url pattern="/**" access="ROLE_ADMIN" />
</http>

All the urls seem to trigger a HTTP basic authentication pop up when I hit the various URLs with the browser.

This is good and what I expected, but when I add a method parameter to 1 of the intercept URLs like this:

<http>
    <http-basic/>

    <port-mappings>
        <port-mapping http="8080" https="8181"/>
    </port-mappings>

    <intercept-url pattern="/url1**" access="ROLE_ROLE1" requires-channel="https"/>
    <intercept-url pattern="/url2**" access="ROLE_ROLE2" method="GET"/>
    <intercept-url pattern="/url3**" access="ROLE_ROLE3" />
    <!-- <intercept-url pattern="/**" access="ROLE_ADMIN" />
</http>

The basic authentication is turned off for all the URLs except the one I've explicitly set the method on (/url2).

Is this how it's supposed to work, because it seems a little goofy to me. Is this a bug?

Answer 1

Now I have tested url1 with https and it works. I got redirected and then the login dialog showed up.
Setting logging level to DEBUG it prints:

DEBUG DefaultFilterInvocationDefinitionSource,http-8443-1:196 - Converted URL to lowercase, from: '/url1/'; to: '/url1/'  
DEBUG DefaultFilterInvocationDefinitionSource,http-8443-1:224 - Candidate is: '/url1/'; pattern is /url2**; matched=false  
DEBUG DefaultFilterInvocationDefinitionSource,http-8443-1:224 - Candidate is: '/url1/'; pattern is /url1**; matched=true  
DEBUG AbstractSecurityInterceptor,http-8443-1:250 - Secure object: FilterInvocation: URL: /url1/; ConfigAttributes: [ROLE_USER]
DEBUG XmlWebApplicationContext,http-8443-1:244 - Publishing event in context [org.springframework.web.context.support.XmlWebApplicationContext@17af46e]: org.springframework.security.event.authorization.AuthenticationCredentialsNotFoundEvent[source=FilterInvocation: URL: /url1/]
DEBUG ExceptionTranslationFilter,http-8443-1:150 - Authentication exception occurred; redirecting to authentication entry point

This is the configuration:

<http>
  <http-basic/>
  <port-mappings>
     <port-mapping http="8080" https="8443"/>
  </port-mappings>
  <intercept-url pattern="/url1**" access="ROLE_USER" requires-channel="https"/>
  <intercept-url pattern="/url2**" access="ROLE_TELLER" method="GET"/>
  <intercept-url pattern="/url3**" access="ROLE_SUPERVISOR" />   
</http>