The reference document says urls are matched in the same order as declared, but one declared last is being matched before some of the ones declared earlier.
Here is my declaration:
<intercept-url pattern="/static/**" filters="none" />
<intercept-url pattern="/login.jsp*" filters="none" />
<intercept-url pattern="/logout.jsp*" filters="none" />
<intercept-url pattern="/forgotpassword*" filters="none" />
<intercept-url pattern="/WEB-INF/jsp/forgotpassword*" filters="none" />
<intercept-url pattern="**/ordersearch*" access="hasRole('ROLE_VIEW_ORDER_STATUS')" />
<intercept-url pattern="**/creditstatus*" access="hasRole('ROLE_VIEW_CREDIT_STATUS')" />
<intercept-url pattern="**/shop*" access="hasRole('ROLE_INTERNAL') and hasRole('ROLE_CREATE_SALES_ORDER')" />
<intercept-url pattern="/**" access="hasAnyRole('ROLE_INTERNAL','ROLE_EXTERNAL')" />
It tries to match in order for all the filters="none", but then jumps to the last pattern /**. So a URL like /appname/ordersearch gets intercepted by /** instead of **/ordersearch*. Any idea what I am doing wrong?