I have configured spring authentication as below and its not working as expected

<sec:http auto-config="true">
    <!-- Restrict URLs based on role -->
    <sec:intercept-url pattern="pages/login.jsp" access="IS_AUTHENTICATED_ANONYMOUSLY" />

    <sec:intercept-url pattern="/css/style.css" access="IS_AUTHENTICATED_ANONYMOUSLY" />
     <sec:intercept-url pattern="pages/**" access="ROLE_USER" />

    <!-- Override default login and logout pages -->
    <sec:form-login login-page="/login.jsp" 
                         default-target-url="/pages/products.xhtml" 
                         authentication-failure-url="/login.html?login_error=1" />
    <sec:logout logout-url="/logout" logout-success-url="/login.jsp" />
</sec:http>

On server start up i have been redirected to login.jsp ,if i use login form i am redirected to products.xhtml so far fine but if i directly access products.xhtml , it just allowing me to access the product.xhtml(Even after closing the broser or even on server restart) instead of redirecting to login.jsp . Could anyone just me what i am missing exactly?

Thanks & Regards Vijay

Your patterns and URLs aren't consistent. You have "/login.jsp" for the login page and "pages/login.jsp" in the intercept-url pattern.

Try using:

<http pattern="/css/**" security="none">

<http>
    <intercept-url pattern="/login.jsp" access="IS_AUTHENTICATED_ANONYMOUSLY" />
    <intercept-url pattern="/**" access="ROLE_USER" />
    <form-login login-page="/login.jsp" 
                     default-target-url="/pages/products.xhtml" 
                     authentication-failure-url="/login.html?login_error=1" />
    <logout logout-url="/logout" logout-success-url="/login.jsp" />
</http>

The debug log for a particular request will explain exactly why it is or isn't secured.

Make sure you do not have a Cookie or a valid session...