As it stands right now, you actually appear to have redundant rules. None of them grant access, and the master URL pattern "/*" would apply even if the earlier patterns had not already blocked
A whitelisting setup would defined URL patterns that determined what roles had authorization and permit access to them. Unmatched URLs would be attempted against each of the remaining patterns. If none matched, the master pattern would reject the request.
An IDE is no substitute for an Intelligent Developer.