<security:http>
  <security:intercept-url pattern="/web/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>

</security:http>