Spring Security Login and Logout

I want to create a web application using spring security, but I feel that something is wrong or missing.

Here are my codes:

security.xml:

<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
       http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
       http://www.springframework.org/schema/security
       http://www.springframework.org/schema/security/spring-security.xsd">

<http use-expressions="true" disable-url-rewriting="true">
    <intercept-url pattern="/index.htm" access="hasRole('ROLE_ADMIN')" />
    <form-login login-processing-url="/login" login-page="/login.htm"
        username-parameter="userName" password-parameter="password"
        default-target-url="/index.htm" always-use-default-target="true"
        authentication-failure-url="/login.htm?auth=fail" />
    <logout logout-url="/logout.htm" logout-success-url="/login?out=1"
        delete-cookies="JSESSIONID" invalidate-session="true" />
</http>

<authentication-manager>
    <authentication-provider>
        <user-service>
            <user name="drs" password="123456" authorities="ROLE_ADMIN" />
            <user name="dr" password="123456" authorities="ROLE_USER" />
        </user-service>
    </authentication-provider>
</authentication-manager>
</beans:beans>

controller:

@Controller
public class SecurityController {
    @RequestMapping(value = "/logout.htm", method = RequestMethod.GET)
    public String logoutPage() {
        return "logoutPage";
    }

    @RequestMapping(value = "/login.htm", method = RequestMethod.GET)
    public String login() {
        return "loginPage";
    }
}

login.jsp:

<form:form action="${pageContext.request.contextPath}/login" method="POST">
    <c:if test="${not empty param.err}">
        <div>
            <c:out value="${SPRING_SECURITY_LAST_EXCEPTION.message}" />
        </div>
    </c:if>
    <c:if test="${not empty param.out}">
        <div>You've logged out successfully.</div>
    </c:if>
    <c:if test="${not empty param.time}">
        <div>You've been logged out due to inactivity.</div>
    </c:if>

    Username:<br>
    <input type="text" name="userName" value="" />
    <br>
    <br> Password:<br>
    <input type="password" name="password" value="" />
    <input value="Login" name="submit" type="submit" />
</form:form>

logout.jsp:

<a href="${pageContext.request.contextPath}/login.htm">Login</a>

This work is just fine, the only problem is when I delete logout, it doesn’t do anything, I still have the permission that I had after logging in. Usually he should return to the login screen, asking the user to authenticate in order to gain access to this page. What am I missing?

And one more problem that I could not understand. When I change the login form, follow these steps:

<form:form action="${pageContext.request.contextPath}/login" method="POST">

at

<form name='loginform' action="<c:url value='j_spring_security_check' />" method='POST'>

I get an error message:

HTTP Status 404 - / Dronomy_2.1 / j_spring_security_check

Can anybody help me?