I see this is an old thread, but I still see the problems outlined above in the latest Spring Roo release (1.2.0.RC1).
The issue is that the spring security configuration that is created after the "security setup" command when you have a gwt application, is basically the same for a "web mvc" application, and several assumptions are made that no longer apply. Namely, that there's a WEB-INF/tags directory, that the path "/login" redirects to "/views/login.jspx" or so, etc.
To make spring security work quickly, simply change applicationContext-security.xml by deleting the form-login tag and modifying this line:
so that it becomes:
<intercept-url pattern="/**" access="permitAll" />
what this will do, is present the default login html form that spring security has to enable you to login to your app. If you then want to have your own login page, you could start by copying the source code of this page and save it to say /login.html. Then you can add back the form-login tag and replace "/login" with "/login.html". After this, you'll want to customize your login page, and then add support for either redirecting to this page or presenting some login dialog when an asynchronous service is called and authentication/authorization is no longer valid. It'd be nice if this would be provided automatically by the "secure setup" when "web gwt setup" has been specified.
<intercept-url pattern="/**" access="isAuthenticated()" />
I will create an issue in Spring Roo project in JIRA, unless somebody tells me it's not necessary either because there's one already or this will be provided in 1.2.0. I wasn't able to find any issue related to this problem.