I want to implement the following authentication in my application.
1. All the pages having /users/** can be accessed by User or Admin.
2. The page /user?new is a register page. It should be only accessible to non-logged in users.
where new is parameter.
In controller i have RequestMapping for this url.
The Ant style pattern matcher that is used by default is not going to pay any attention to your parameter. The correct way to do this would be to create another <http> element before that one that defines a request-matcher-ref attribute referencing your own custom RequestMatcher. I would name this class ParamMatcher or some such thing. This matcher would inspect the parameter and return true if it matched.
Note that in your case since you have other rules in another <http> block protecting things, and this rule is allowing everyone access, you are probably OK, but as a general rule of thumb matching on parameters is not secure, as its easy to reorder parameters or add patterns to bypass security altogether, so be careful when doing this sort of thing. In general it would be better to create a new path rather than having a parameter.