For now what I could do is this :
But it's a solution I don't really like. Is it the only way to do it?
<http auto-config="true" use-expressions="true" path-type="regex">
<form-login login-processing-url="/resources/j_spring_security_check" login-page="/login" authentication-failure-url="/login?login_error=t"/>
<!-- Configure these elements to secure URIs in your application -->
<intercept-url pattern="/dogs\?form" access="permitAll"/> //matches create
<intercept-url pattern="/dogs.+?form" access="hasRole('ROLE_USER')"/> //matches edit
<intercept-url pattern="/dogs\?page.+" access="hasRole('ROLE_ADMIN')"/> //matches list
<intercept-url pattern="/dogs/*" access="hasRole('ROLE_ADMIN')" method="DELETE" /> //matches delete
I even tried to use global-method-security, pushing methods from aj to java class and using @secured annotation, but I was not able to let it manage login form like it does with the actual configuration.
Now if the user has to login, the app automatically displays the login form. With global-method-security if the user has to login the app just redirects to a page that says invalid access or something like that. How could I solve this?