Spring Security - overriding default config in profile

Spring 3.1 context (we are using Spring MVC and Spring Security).

What we are trying to do is an admin page only accessible when the profile is active admin

. With Spring Security, we tried something like:

<security:http use-expressions="true" entry-point-ref="entryPointDenied">
    <security:intercept-url pattern="/admin/**" access="denyAll" />
</security:http>

<beans profile="admin">
    <security:http use-expressions="true">
        <security:intercept-url pattern="/admin/**" access="permitAll" />
        <sec:form-login/>
    </security:http>
</beans>

      

        
        
        
      

    

But that doesn't work as we cannot override definitions security:http

(we tried to use an attribute http@name

). So with the above configuration we get

Caused by: java.lang.IllegalArgumentException: A universal match pattern ('/**') is defined  before other patterns in the filter chain, causing them to be ignored.

      

        
        
        
      

    

Also we cannot use the negative profile feature (i.e. profile="!admin"

) as it is introduced in Spring 3.2.

Ideally, the solution should be purely Spring config.

Edit: added missing use of -expression = "true" to second security: http