The reason though is absolutely clear. It means in the namespace "http://www.springframework.org/schema/beans" (as it is prefixed by beans as well as being the default namespace in your spring-security.xml), under the root beans only description, import, alias, bean or some element other than that in the same namespace are allowed. Now your xml has http, ... under it. Consequently, it is not an valid xml. You can deduce the reasoning all by looking at the xsd for the beans prefix as documented in the root as well... I won't insist this, it is too cumbersome to explain in prose.
In any case, you might be a bit careless in merging from various sources/tutorials to construct the spring-security.xml. Here are the main errors: the http etc are in fact in the http://.../security rather than in http://.../context namespace !!! Then if you want to spare prefix for the security namespace, you have to make it default rather than keeping the beans namespace as default. Third, the location of the security xsd is wrong and furthermore the version maybe as well.
Brief, thses are the corrections which probably make it work already, if not, the remaining correction should be related to finer behaviours sought after, such as this rather that etc. Whereas you may or may not want to have a lower version than 4.0 (such as 3.2, or 3.1 or 3.0.3 ... according to your need). Anything else is kind of detail.
Always! Wait. Never. Shut up. Look at this tiny ad.
Devious Experiments for a Truly Passive Greenhouse!