The issue is, when the browser cache is empty and a user comes in, here is what happens:

  • the user requests URL "/". This URL is cached.
  • the browser makes a requests to "/favicon.ico". This URL becomes the new URL where to redirect to upon authentication.
  • the user posts the login form and is redirected to "/favicon.ico".

To fix this, you need to set "/favicon.ico" as being a non-secured resources:

<intercept-url pattern="/favicon.ico" access="ROLE_ANONYMOUS" />