As Karthikeyan suggests in his comment, the problem is the following line:
<http pattern="/index.jsp" security="none"/>
which effectively causes requests matching the given pattern to be dispatched straight to the handler method skipping the Spring Security filter chain. Not even the SecurityContext
gets initialized in this case, so the authentication object won't be available for the <sec:authorize>
tag based on which it should make decision whether to reveal the wrapped content (and it obviously won't by default).
The reference doc states it clearly as well:
A request pattern can be mapped to an empty filter chain, by setting this attribute (
security
) to none. No security will be applied and none of Spring Security's features will be available.
Instead of mapping an empty filter chain, you should simply allow anonymous access:
<sec:intercept-url pattern="/index.jsp" access="IS_AUTHENTICATED_ANONYMOUSLY"/>