Pagina inicial com spring security sobe desconfigurada

<beans:beans xmlns="http://www.springframework.org/schema/security"
             xmlns:beans="http://www.springframework.org/schema/beans" 
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
             xsi:schemaLocation="
    http://www.springframework.org/schema/beans 
    http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
    http://www.springframework.org/schema/security
    http://www.springframework.org/schema/security/spring-security-3.1.xsd"> 
    
  
    <http auto-config="true" use-expressions="true">
    
        <form-login login-page="/index.xhtml" username-parameter="username" password-parameter="password"
                    always-use-default-target="true"
                    default-target-url="/home.xhtml" 
                    authentication-failure-url="/pages/erro.xhtml?login_error=true"/>
        <logout logout-success-url="/index.xhtml?logout=true" invalidate-session="true" delete-cookies="JSESSIONID"/>
        <session-management>
            <concurrency-control expired-url="/home.xhtml?expired=true" max-sessions="1" 
                                 error-if-maximum-exceeded="true" />
        </session-management>
        <access-denied-handler error-page="/error.xhtml" />
        
        <intercept-url pattern="/pages/supervisor/**" access="hasAnyRole('ROLE_SUPER,ROLE_GERENTE ')"/>
        <intercept-url pattern="/pages/financeiro/**" access="hasAnyRole('ROLE_FINAN,ROLE_GERENTE')"/>
        <intercept-url pattern="/pages/admin/**" access="hasAnyRole('ROLE_ADMIN,ROLE_GERENTE')"/>
        <intercept-url pattern="/pages/gerente/**" access="hasAnyRole('ROLE_GERENTE')"/>
        <intercept-url pattern="/pages/erro/**" access="permitAll()"/>
        <intercept-url pattern="/pages/**" access="permitAll()"/>
        <intercept-url pattern="/pages/menu.xhtml" access="isFullyAuthenticated()"/>
        
        <intercept-url pattern="/layout/**" access="permitAll()"/>
        <intercept-url pattern="/index.xhtml" access="permitAll()"/>
        <intercept-url pattern="/*/**" access="isFullyAuthenticated()"/>
        <intercept-url pattern="/imagens/**" access="permitAll()"/>
        <intercept-url pattern="/css/**" access="permitAll()"/>
        <intercept-url pattern="/*/**" access="isFullyAuthenticated()"/>
        <intercept-url pattern="/*" access="isFullyAuthenticated()"/>
   

       
    </http>
  
    <authentication-manager>
        <authentication-provider>
         <!-- 	<jdbc-user-service data-source-ref="dataSource"   
               users-by-username-query="SELECT LOGIN as username,SENHA as password, CASE Status WHEN 1 THEN 'true' ELSE 'false' END as enabled FROM USERS WHERE LOGIN=?"  
                authorities-by-username-query="SELECT u.login as username, p.NOME_PERFIL as authority FROM USERS u 
                                                INNER JOIN PROFILES p on u.id_area = p.id_perfil WHERE u.login =?"/>
												
				<password-encoder hash="plaintext"/>	-->											
                    <user-service>
                        <user name="bruno" password="bruno" 
                          authorities="ROLE_ADMIN" />
                         <user name="teste" password="teste" 
                               authorities="ROLE_SUPER" />
                         <user name="teste1" password="teste1" 
                               authorities="ROLE_FINAN" />
                          <user name="teste2" password="teste2" 
                               authorities="ROLE_GERENTE" />
                    </user-service>     
        
        </authentication-provider>
    </authentication-manager>
</beans:beans>