<security:http name="apis" 
    pattern="/**"

is also matched?
try commenting out this part...

maybe ..change your request path or exclude these two paths when verifying the token?

<security:http name="employeeSecurityChain" 
    pattern="/auth/employees/token"

<security:http name="visitorSecurityChain" 
    pattern="/auth/visitors/token"

<security:http name="apis" 
    pattern="/api/**"