Short answer.
I believe that the url you initially entered is browser matches the
pattern "/admin/**", like "/admin/showMeTheMoney".
The SecurityConfig configure() catches that. After your log in, he sees that you are authorized to enter "/admin/showMeTheMoney", so he does forward you to that url.
Below is in more detail.
Here is the flow.
First, lets say that you are not logged in yet.
Then, you request "/admin/showMeTheMoney" in the browser.
In SecurityConfig (a
java config style) configure() method, you see that all urls matching "/admin/**" must have the role 'ROLE_ADMIN', otherwise, the login page "/login" is used to ask the user to login if he is not logged in yet. Because you are not logged in yet, you are sent to "/login" to do login.
And now in that page and you did the login.
The control is returned where it left off at SecurityConfig configure() method. He extracts the username and password from the form, performs authentication, sees that you are authorized now, so lets you in into "/admin/showMeTheMoney".
In MainController, you see that adminPage() will pickup all urls of pattern "/admin**", and end up with view name 'admin', which ends up with admin.jsp using the InternalResourceViewResolver you declared in AppConfig.