Using XML configuration, separate HTTP elements share authentication

[cartbar]

I created an XML file to configure the Spring Security in my application:

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
             xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://www.springframework.org/schema/beans
        https://www.springframework.org/schema/beans/spring-beans-3.0.xsd
        http://www.springframework.org/schema/security
        https://www.springframework.org/schema/security/spring-security.xsd">

    <http pattern="/B.html">
        <headers >
            <frame-options disabled="true"></frame-options>
        </headers>
        <http-basic />
        <intercept-url pattern="*" access="permitAll" />
    </http>


    <http pattern="/**">
        <intercept-url pattern="/**" access="isAuthenticated()" />
        <http-basic />
    </http>
.
.
.
</beans:beans>

The expectation is that requests for "/B.html" will have the XFRAME header disabled AND not require authentication, and all other request would have the default headers and require authentication.

In fact, requests for "/B.html" do have the XFRAME header disables (as expected) but require authentication.

It appears that the filter that does the authenication applies the rules for both sections, so that the first rule permits access and the second rule requires authentication, rather than only applying the rules from the relevant HTTP element