Are the third- and fourth intercept-url patterns below, for ROLE_USER, redundant? It seems to me that “/” would also capture any request URL that matches “/account/.do”.
<security:filter-security-metadata-source>
<security:intercept-url pattern="/login.do" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<security:intercept-url pattern="/home.do" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<security:intercept-url pattern="/account/*.do" access="ROLE_USER"/>
<security:intercept-url pattern="/*" access="ROLE_USER"/>
Reading the question again, yes, the third rule actually looks like it is redundant (I first answered as if you were asking are all the other rules than the last one redundant).
From the documentation:
So, if a logged-in user was trying to access “/account/.do”, the third rule would fire, but with anything else, the fourth rule would still allow access, which does make the third rule seem redundant in this case. The easiest way to test this is probably just comment out or remove the third rule and then test if you can still access pages under “/account” (which you should be able to).