I would like to revoke "ROLE_ADMIN" authority from the user when he navigates out of "/auth/**" zone.

How can I achieve such functionality? Can I put some kind of filter on all URLs except /auth/** which revokes Authority from the user?

Can I revoke it "on the fly"?

I think you are misunderstanding the meaning of the intercept-url element:

<security:intercept-url pattern="/auth/**"  access="ROLE_ADMIN"/>

This does NOT say "grant the user ROLE_ADMIN in the /auth/** tree". It says, "a user who has ROLE_ADMIN is allowed to access pages in the /auth/** tree".

The idea that a user’s role changes depending on what he / she is looking at is strange, to say the least.

What I’m trying to do is to validate username and password each time the user hits "/auth/**" psth.

OK, that kind of makes sense as a requirement. (Though, as a hypothetical user I would find it mysterious and/or annoying that simply navigating around the site cause me to be logged out.)

But I don’t think you should do that by changing the user’s role(s) on the fly. If you do that you are liable to get "Permission denied" responses instead of redirects to the login page.

What you really need to do is to put them back into the "not logged in" state. But even that can be a bit tricky. If pages in the /auth/** tree have links to stylesheets or script files, then when the browser fetches those links the security filters are liable to think that the user has navigated out of the /auth/** tree and log him out.