diff --git a/doc/docbook/acegi.xml b/doc/docbook/acegi.xml
index e9e15b2711..e3c25b5571 100644
--- a/doc/docbook/acegi.xml
+++ b/doc/docbook/acegi.xml
@@ -2113,6 +2113,28 @@ public boolean supports(Class clazz);
previous provider is passed to the next in the list. Let's now
consider our ACL-aware implementations of
AfterInvocationProvider.
+
+ Please be aware that if you're using
+ AfterInvocationManager, you will still need
+ configuration attributes that allow the
+ MethodSecurityInterceptor's
+ AccessDecisionManager to allow an operation. If
+ you're using the typical Acegi Security included
+ AccessDecisionManager implementations, having no
+ configuration attributes defined for a particular secure method
+ invocation will cause each AccessDecisionVoter to
+ abstain from voting. In turn, if the
+ AccessDecisionManager property
+ "allowIfAllAbstainDecisions" is
+ false, an AccessDeniedException
+ will be thrown. You may avoid this potential issue by either (i)
+ setting "allowIfAllAbstainDecisions" to
+ true (although this is generally not recommended)
+ or (ii) simply ensure that there is at least one configuration
+ attribute that an AccessDecisionVoter will vote to
+ grant access for. This latter (recommended) approach is usually
+ achieved through a ROLE_USER or
+ ROLE_AUTHENTICATED configuration attribute.
@@ -3879,7 +3901,7 @@ $CATALINA_HOME/bin/startup.sh
X509AuthoritiesPopulator.
- .
+ .
The populator's single method,
@@ -3898,7 +3920,7 @@ $CATALINA_HOME/bin/startup.sh
your own regular expression to match a different part of the
subject's distinguished name. An
AuthenticationDao is used to load the
- user information.
+ user information.