problem with using entry-point and intercept-url patterns

Hello,

my configuration looks like this:

<security:http entry-point-ref="loginUrlAuthenticationEntryPoint" auto-config="true" use-expressions="true" disable-url-rewriting="true">
<security:intercept-url pattern="/web/**" filters="none" />
<security:intercept-url pattern="/ajax/**" filters="none" />
....
<security:intercept-url pattern="/user/**" access="hasRole('ROLE_USER')" />
<security:form-login login-page="/index.htm" default-target-url="/start.htm" always-use-default-target="true" authentication-failure-url="/index.htm" />
<security:logout />
<session-management session-authentication-strategy-ref="sas" />
</security:http>

<security:authentication-manager alias="authenticationManager">
<authentication-provider ref='authenticationProvider' />
</security:authentication-manager>

<beans:bean id="loginUrlAuthenticationEntryPoint"
class="org.springframework.security.web.authentica tion.LoginUrlAuthenticationEntryPoint">
<beans:property name="loginFormUrl" value="/index.htm"/>
<beans:property name="useForward" value="true"/>
</beans:bean>

<beans:bean id="authenticationProvider"
class="de.oyb.fangoetter.web.security.Authenticati onProvider">
<beans:property name="accountDao" ref="accountDao" />
</beans:bean>

<beans:bean id="sas"
class="org.springframework.security.web.authentica tion.session.ConcurrentSessionControlStrategy">
<beans:constructor-arg ref="sessionRegistry" />
<beans:property name="maximumSessions" value="1" />
</beans:bean>

<beans:bean id="sessionRegistry" class="org.springframework.security.core.session.S essionRegistryImpl" />

</beans:beans>


So I am using the entry point with the URL index.htm which I want to access by a useForward.

My problem:

When I not log in and want to access the URL /user/home.htm (which is not allowed because of my ROLE_USER), this URL is nevertheless opened but I am not redirected to the index.htm because of the intercept-url pattern.

What might be the failure with my configuration?