Different authentication on localhost vs public IP address

Question

I have an issue that seems something like this one but I'm not using AJAX for logging in/authentication.

When I access my local Tomcat 7 instance, I can correctly evaluate this block to true when the user is not logged in:

<security:authorize access="!isFullyAuthenticated()">
        <div class="col-xs-12 col-md-2 login_button">
            <a href="${pageContext.request.contextPath}/login"><button class="btn btn-success" style="line-height: 1.42857"><spring:message code="label.logIn"/> <i class="fa fa-sign-in"></i></button></a>
        </div>
</security:authorize>

However, it evaluates to false when I deploy it to our public QA and public production instances, hiding the button. I also tried changing the access to !isAuthenticated() but the behavior didn't change.

I'm using Spring 4.1.0.RELEASE and Spring Security 3.2.4.RELEASE. I am not completely sure but it may not have had this behavior in a previous version of Spring.

What could cause a difference in the code block evaluation between servers?

UPDATE:

Spring security config:

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
         xmlns:beans="http://www.springframework.org/schema/beans"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://www.springframework.org/schema/beans
                 http://www.springframework.org/schema/beans/spring-beans-4.1.xsd
                 http://www.springframework.org/schema/security
                 http://www.springframework.org/schema/security/spring-security-3.2.xsd">

  <beans:bean id="authSuccessHandler" class="com.companyname.web.RoleBasedAuthenticationSuccessHandler" />

  <http auto-config="true" use-expressions="true">
    <form-login login-page="/login"
        authentication-success-handler-ref="authSuccessHandler"
        authentication-failure-url="/login?login_error=true"
        login-processing-url="/j_spring_security_check" />
    <intercept-url pattern="/sample/**" access="hasAnyRole('ROLE_SAMPLE','ROLE_CO_SAMPLE')" />
    <intercept-url pattern="/other/**" access="hasAnyRole('ROLE_OTHER', 'ROLE_CO_OTHER','ROLE_SAMPLE','ROLE_CO_SAMPLE')" />
    <logout logout-success-url="/index" />
  </http>

  <authentication-manager alias="authenticationManager">
    <authentication-provider user-service-ref="myUserDetailsService">
      <password-encoder ref="passwordEncoder" />
    </authentication-provider>
  </authentication-manager>

  <beans:bean id="myUserDetailsService"
          class="com.companyname.service.UserDetailsServiceImpl" />

  <beans:bean id="passwordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/>

    <global-method-security secured-annotations="enabled" pre-post-annotations="enabled">
        <expression-handler ref="expressionHandler"/>
    </global-method-security>

    <beans:bean id="expressionHandler" class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
        <beans:property name="permissionEvaluator">
            <beans:bean id="permissionEvaluator" class="com.companyname.web.security.MethodsPermissionEvaluator"/>
        </beans:property>
    </beans:bean>
</beans:beans>

EDIT: Also tried Spring Security 3.2.8.RELEASE, but no luck.

Answer 1

This issue was solved by a fellow developer by updating the web.xml to contain the Spring Security Filter Chain higher up in the file:

<filter>
  <filter-name>springSecurityFilterChain</filter-name>
  <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
  <filter-name>springSecurityFilterChain</filter-name>
  <servlet-name>Spring Security Filter Chain</servlet-name>
  <url-pattern>/*</url-pattern>
  <dispatcher>REQUEST</dispatcher>
  <dispatcher>FORWARD</dispatcher>
</filter-mapping>

We also had to make sure that the updated file was deployed to the correct environment. The discrepancy in environments is attributed to different web.xml files for each environment.