Ah, I understand now - sorry for my misinterpretation. But I wonder if this isn't better handled some other way - like in the request matching logic that determines which filter chain to execute. If it is done via request matching, we don't need to duplicate this Method-based behavior across all filters that might need it.
For example: /rest/**,GET = anon, foo, bar /rest/**,POST = authcBasic, perms[blah] or even more robust, to allow for other matching criteria later (e.g. header values?) rest/**[method:GET,blah:x] = anon, foo, bar This feels a little more robust to me than perhaps duplicating this stuff across the HttpMethodPermissionFilter or Authc filters... Thoughts? Les
