spring - Why Doesn't Intercept Url Work? -

this spring security configuration:

<http auto-config="true" use-expressions="true">     <form-login login-processing-url="/resources/j_spring_security_check" login-page="/login"          authentication-failure-url="/login?login_error=t" />      <logout logout-url="/resources/j_spring_security_logout"/>      <intercept-url pattern="/resources/**" access="permitall" />     <intercept-url pattern="/login" access="permitall" />     <intercept-url pattern="/**" access="isauthenticated()" />     <intercept-url pattern="/monitoring" access="hasrole('role_admin')"  /> ....... 

i add this: <intercept-url pattern="/monitoring" access="hasrole('role_admin')" avoid enter in section.. can enter monitoring after loggin "normal" user...

why??

the order of <intercept-url .../> matter. new intercept-url pattern="/monitoring" comes after pattern="/**" it ignored because urls monitoring have been processed <intercept-url pattern="/**" access="isauthenticated()" />.

you should write :

<intercept-url pattern="/monitoring" access="hasrole('role_admin')"  /> <intercept-url pattern="/**" access="isauthenticated()" /> 

as general rule intercept-url pattern="/**" must always last