Spring security works pretty fine for me, but I cannot understand why I can't limit access to HTML host page. The current situation is that my application starts and I have to handle login problem in gwt code by myself.
I'd prefer Spring security to handle this, so when user is not logged, and try to load my /Application.html, he/she is automatically redirected to login page, and no gwt entry-point code is launched until user is logged in.
This behavior is working very fine for dynamically (by servlet) generated content (such as JSP pages), but the filter chain seems not to be applied to to static (e.g. HTML) resources.
For example:
When this is set in config file:
<intercept-url pattern="/secured/**" access="ROLE_ADMIN" />
and I try to access /secured/administration.jsp Spring security rejects access correctly. But when I try to access /secured/index.html and the file exists, seems that no Spring filter chain is applied and the file is displayed.
Is there a way how to configure Spring security to deny access to static files when user is not logged in?