Tomcat static content path security with Spring

I'm trying to setup static content serving on my Tomcat 9 server So I specified it inside server.xml

<Host name="${serverhost}" appBase="webapps" unpackWARs="true" autoDeploy="false" deployOnStartup="false">
   ....
   <Context path="/staticfiles" docBase="${staticfiles.folder}" reloadable="false"/>
   ....
   <Context path="" docBase="application" reloadable="false">
    ....

On top of that I set up spring sercurity filter for /staticfiles path::

<security:http use-expressions="true" entry-point-ref="authenticationEntryPoint" access-decision-manager-ref="accessDecisionManager" disable-url-rewriting="true"
               pattern="/staticfiles/**"
               create-session="never" security-context-repository-ref="oAuth2EapiCompositeSecurityContextRepository">
    <security:csrf disabled="true"/>
    <security:headers disabled="true"/>
    <security:http-basic/>
    <security:form-login authentication-failure-handler-ref="authFailureHandler" authentication-success-handler-ref="authSuccessHandler"
                         username-parameter="j_username"
                         password-parameter="j_password"
                         login-processing-url="/j_spring_security_check"/>
    <security:anonymous enabled="false"/>
    <security:intercept-url pattern="/staticfiles/**" access="permitAll"/>
    <security:intercept-url pattern="/**" access="denyAll"/>
    <security:custom-filter ref="fileTransferResourceServerFilter" before="PRE_AUTH_FILTER"/>
</security:http> 

web.xml mapping

 <filter-name>springSecurityFilterChain</filter-name>
 <url-pattern>/staticfiles/*</url-pattern>

It allows to access all the static files without any authentication still

GET apphost.com/statifiles/333/test.jpg doesn't ask for authentication, so seems like Spring Security filter chain doesnt match this path somehow, but all the other application endpoints are secured (with corresponding security patterns)

So seems like Tomcat somehow use it's own filter to serve static content, I tried to put

 <Context path="/staticfiles" docBase="${staticfiles.folder}" reloadable="false"/>

inside

 <Context path="" docBase="application" reloadable="false">

which actually makes it work so Spring protecting this path with basic auth but after sucessfull login it responds with 404 all the time, seems like Spring doesn't fallback to Tomcat static content servlet after Spring Security filters

How many English words
do you know?
Test your English vocabulary size, and measure
how many words do you know
Online Test
Powered by Examplum