diff --git a/doc/docbook/acegi.xml b/doc/docbook/acegi.xml index e9e15b2711..e3c25b5571 100644 --- a/doc/docbook/acegi.xml +++ b/doc/docbook/acegi.xml @@ -2113,6 +2113,28 @@ public boolean supports(Class clazz); previous provider is passed to the next in the list. Let's now consider our ACL-aware implementations of AfterInvocationProvider. + + Please be aware that if you're using + AfterInvocationManager, you will still need + configuration attributes that allow the + MethodSecurityInterceptor's + AccessDecisionManager to allow an operation. If + you're using the typical Acegi Security included + AccessDecisionManager implementations, having no + configuration attributes defined for a particular secure method + invocation will cause each AccessDecisionVoter to + abstain from voting. In turn, if the + AccessDecisionManager property + "allowIfAllAbstainDecisions" is + false, an AccessDeniedException + will be thrown. You may avoid this potential issue by either (i) + setting "allowIfAllAbstainDecisions" to + true (although this is generally not recommended) + or (ii) simply ensure that there is at least one configuration + attribute that an AccessDecisionVoter will vote to + grant access for. This latter (recommended) approach is usually + achieved through a ROLE_USER or + ROLE_AUTHENTICATED configuration attribute. @@ -3879,7 +3901,7 @@ $CATALINA_HOME/bin/startup.sh X509AuthoritiesPopulator. - . + . The populator's single method, @@ -3898,7 +3920,7 @@ $CATALINA_HOME/bin/startup.sh your own regular expression to match a different part of the subject's distinguished name. An AuthenticationDao is used to load the - user information. + user information.