You do have one problem, however. You have defined a rule that requires authentication on ALL URLs, including the CSS and image URLs on your login/loginfail pages. In other words, to retrieve and display the logo and CSS on the login page, you have to already be logged in. Except that you're not logged in or you wouldn't be seeing the login page. In theory, this should have caused some sort of recursion problem, but in reality what I've seen is basically what you reported.
Where should i use the EL expression? I didn't use code java here !