When adding security to a Roo project with the "security setup" command, a filter is added to the web.xml for Spring Security. This filter is put before HttpMethodFilter, but it needs to be put after. HttpMethodFilter is responsible for converting the Spring MVC HTTP POST with parameter _method=DELETE into an actual HTTP DELETE method. If you want to define a Spring Security <intercept-url> with method="DELETE", a delete request will only be intercepted if the request has been converted to the HTTP DELETE method previously. Thus the HttpMethodFilter needs to have been called first, and should be put before the springSecurityFilterChain filter in the web.xml.