As it stands right now, you actually appear to have redundant rules. None of them grant access, and the master URL
pattern "/*" would apply even if the earlier patterns had not already blocked
everything.
A whitelisting setup would defined URL patterns that determined what roles had authorization and permit access to them. Unmatched URLs would be attempted against each of the remaining patterns. If none matched, the master pattern would reject the request.
The secret of how to be miserable is to constantly expect things are going to happen the way that they are "supposed" to happen.
You can have faith, which carries the understanding that you may be disappointed. Then there's being a willfully-blind idiot, which virtually guarantees it.