I was able to answer my own question after much brainstorming and apparently the solution was very simple. Since /home/spidey/sopon3/rda-aof/ has been configured as the directory to serve the files that can be accessible using just my-devdomain.com/data-file.pdf, all I had to do was create another directory inside /rda-aof and put my files there. So now the url looks like this: my-devdomain.com/public/data-file.pdf. With this, I was able to configure spring security to allow /public/** without any authentication.