why is access denied to resources without jsessionid?

I've built an app that works great on my own local environment. But when I deploy to our development environment which uses Siteminder for authentication, I get an "access denied" for all images and css files. I noticed after authentication there'a a jsessionid appended to the url, so tested manually copying+pasting that jsessionid to the image url. The image now shows!

Anyone have any idea what could be going wrong? How come the jsessionid is important for access to images and css?

I'd be glad to post any code examples if that helps...

**Edit

I've turned on some extra logging and I see where the issue is, but not really how to solve it.

19:40:27,236 INFO [STDOUT] 2010-12-17 19:40:27,236 [http-0.0.0.0-30080-1] DEBUG org.springframework.security.web.access.ExceptionTranslationFilter - Authentication exception occurred; redirecting to authentication entry point org.springframework.security.web.authentication.preauth.PreAuthenticatedCredentialsNotFoundException: SM_USER header not found in request. at org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter.getPreAuthenticatedPrincipal(RequestHeaderAuthenticationFilter.java:43) at org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter.doAuthenticate(AbstractPreAuthenticatedProcessingFilter.java:98) at org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter.doFilter(AbstractPreAuthenticatedProcessingFilter.java:86) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355) at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:97) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355) at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:79) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355) at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:149) at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237) at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:88) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175) at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:179) at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:104) at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:241) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:580) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447) at java.lang.Thread.run(Thread.java:619) 

My Spring security settings:

<beans xmlns="http://www.springframework.org/schema/beans" xmlns:security="http://www.springframework.org/schema/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.3.xsd"> <bean id="filterSecurityInterceptor" class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor"> <property name="authenticationManager" ref="authenticationManager" /> <property name="accessDecisionManager" ref="accessDecisionManager" /> <property name="securityMetadataSource"> <security:filter-security-metadata-source> <security:intercept-url pattern="/" access="ROLE_VIEW_WELCOME" /> <security:intercept-url pattern="/cfs" access="ROLE_VIEW_WELCOME" /> <security:intercept-url pattern="/app" access="ROLE_VIEW_WELCOME" /> <security:intercept-url pattern="/welcome/**" access="ROLE_VIEW_WELCOME" /> <security:intercept-url pattern="/styles/**" access="IS_AUTHENTICATED_ANONYMOUSLY" /> <security:intercept-url pattern="/scripts/**" access="IS_AUTHENTICATED_ANONYMOUSLY" /> <security:intercept-url pattern="/images/**" access="IS_AUTHENTICATED_ANONYMOUSLY" /> <security:intercept-url pattern="/ruleManagement/**" access="ROLE_VIEW_RULE_MANAGEMENT" /> <security:intercept-url pattern="/vendorManagement/**" access="ROLE_VENDOR_MANAGEMENT" /> <security:intercept-url pattern="/userManagement/**" access="ROLE_USER_MANAGEMENT" /> <security:intercept-url pattern="/titleManagement/**" access="ROLE_TITLE_MANAGEMENT" /> <security:intercept-url pattern="/typeManagement/**" access="ROLE_TYPE_MANAGEMENT" /> <security:intercept-url pattern="/seriesManagement/**" access="ROLE_SERIES_MANAGEMENT" /> <security:intercept-url pattern="/sequenceManagement/**" access="ROLE_SEQUENCE_MANAGEMENT" /> <security:intercept-url pattern="/roleManagement/**" access="ROLE_GROUP_MANAGEMENT" /> <security:intercept-url pattern="/reports/**" access="ROLE_REPORTS" /> <security:intercept-url pattern="/reportsNew/**" access="ROLE_REPORTS" /> <security:intercept-url pattern="/fingerprint/**" access="ROLE_FINGERPRINT" /> <security:intercept-url pattern="/**" access="ROLE_VIEW_OTHER" /> </security:filter-security-metadata-source> </property> </bean> <bean id="exceptionTranslationFilter" class="org.springframework.security.web.access.ExceptionTranslationFilter"> <property name="authenticationEntryPoint" ref="preauthenticationProcessingFilterEntryPoint" /> <property name="accessDeniedHandler" ref="accessDeniedHandler" /> </bean> <security:authentication-manager alias="authenticationManagerParent" /> <bean id="authenticationManager" class="org.springframework.security.authentication.ProviderManager" parent="authenticationManagerParent"> <property name="providers"> <list> <ref local="preauthAuthProvider" /> </list> </property> </bean> <bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased"> <property name="allowIfAllAbstainDecisions" value="false" /> <property name="decisionVoters"> <list> <bean class="org.springframework.security.access.vote.RoleVoter" /> <bean class="org.springframework.security.access.vote.AuthenticatedVoter" /> </list> </property> </bean> <bean id="sessionRegistry" class="org.acegisecurity.concurrent.SessionRegistryImpl" /> <bean id="defaultConcurrentSessionController" class="org.acegisecurity.concurrent.ConcurrentSessionControllerImpl"> <property name="sessionRegistry" ref="sessionRegistry" /> <property name="exceptionIfMaximumExceeded" value="true" /> </bean> <bean id="filterChainProxy" class="org.springframework.security.web.FilterChainProxy"> <security:filter-chain-map path-type="ant"> <security:filter-chain pattern="/**" filters="securityContextPersistenceFilter, exceptionTranslationFilter, siteminderFilter, filterSecurityInterceptor" /> </security:filter-chain-map> </bean> <bean id="securityContextPersistenceFilter" class="org.springframework.security.web.context.SecurityContextPersistenceFilter"> <property name='securityContextRepository'> <bean class='org.springframework.security.web.context.HttpSessionSecurityContextRepository'> <property name='allowSessionCreation' value='true' /> </bean> </property> </bean> <bean id="siteminderFilter" class="org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter"> <property name="principalRequestHeader" value="SM_USER" /> <property name="authenticationManager" ref="authenticationManager" /> <property name="continueFilterChainOnUnsuccessfulAuthentication" value="false" /> </bean> <bean id="mockSiteMinderFilter" class="com.disney.cfs.util.SiteMinderMockFilter"/> <bean id="preauthAuthProvider" class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider"> <property name="preAuthenticatedUserDetailsService" ref="userDetailsService"/> </bean> <bean id="userDetailsService" class="com.disney.cfs.util.UserDetailsServiceUtil"/> <bean id="preauthenticationProcessingFilterEntryPoint" class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint" /> <bean id="accessDeniedHandler" class="org.springframework.security.web.access.AccessDeniedHandlerImpl"> <property name="errorPage" value="/accessDenied.jsp" /> </bean> </beans>