By looking deeper into the inner mechanics of Spring Security and OAuth2 I started to get an idea where my problem arises.
Basically I'm trying to combine a REST resource secured by an OAuth 2 generated token (implicit grant type) and a "general" web page protected by a login form and session based authentication mechanism.
It seems as if all filters that are needed for the different authentication methods require a very special filter combination. Otherwise they will overload each other.
Today's Progress: Learned more about the inner mechanics of Spring Security. Specially authentication filters. Also I simplified the architecture.
Things I've learned: More about the inner mechanics of Spring Security.
Things I've planned for tomorrow: Continue my investigation.
Link(s) to work: security-server