spring-boot-rest/spring-mvc-no-xml/src/main/resources/webSecurityConfig.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:beans="http://www.springframework.org/schema/beans"
    xsi:schemaLocation="
		http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.0.xsd
		http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.2.xsd"
>

    <http access-denied-page="/access-denied.html" use-expressions="true">
        <intercept-url pattern="/access-denied*" access="hasAnyRole('ROLE_LOCATION_WRITE','ROLE_POLYGON_WRITE')"/>
        <intercept-url pattern="/admin/**" access="hasAnyRole('ROLE_ADMIN')"/>
        <intercept-url pattern="/organization/**" access="hasAnyRole('ROLE_ORGANIZATION')"/>
        <intercept-url pattern="/location/edit*" access="hasAnyRole('ROLE_LOCATION_WRITE')"/>
        <intercept-url pattern="/location/view*" access="permitAll"/>

        <intercept-url pattern="/login*" access="isAnonymous()"/>
        <intercept-url pattern="/register*" access="isAnonymous()"/>
        <intercept-url pattern="/login-denied/**" access="isAnonymous()"/>

        <intercept-url pattern="/**" access="permitAll"/>

        <form-login login-page='/login.html' default-target-url="/" always-use-default-target="false" authentication-failure-url="/login.html?error=true"/>

        <logout/>

        <anonymous/>

        <session-management invalid-session-url="/">
            <concurrency-control max-sessions="1"/>
        </session-management>
    </http>

    <authentication-manager alias="authenticationManager" erase-credentials="false">
        <authentication-provider ref="restAuthenticationProvider"/>
    </authentication-manager>

</beans:beans>