This is either a bug or a misunderstanding on my part. I have a FilterSecurityInterceptor defined for my web site with an objectDefinitionSource in my Spring config that contains something along these lines:


<bean id="filterInvocationInterceptor" class="net.sf.acegisecurity.intercept.web.FilterSecurityI nterceptor">
<property name="authenticationManager"><ref bean="authenticationManager"/></property>
<property name="accessDecisionManager"><ref bean="httpRequestAccessDecisionManager"/></property>
<property name="runAsManager"><ref bean="runAsManager"/></property>
<property name="objectDefinitionSource">
<value>
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
...
/somepath/somesubpath/SpecificPage=
/somepath/**=ROLE_USER
</value>
</property>
</bean>

Basically what I'm trying to accomplish is to secure (require a login) for all content below /somepath/** EXCEPT for the specific page /somepath/somesubpath/SpecificPage (hence, the empty role list). I did a quick look at the source code and it appears this should work except that PathBasedFilterInvocationDefinitionMap has this line in the addSecureUrl method:


if &#40;logger.isDebugEnabled&#40;&#41;&#41; &#123;
logger.debug&#40;"Added Ant path&#58; " + antPath + "; attributes&#58; "
+ attr.toString&#40;&#41;&#41;;
&#125;

However, since I have an empty role list on the right hand side of my path the "ConfigAttributeDefinition attr" parameter is null at this point, so I get a NullPointerException.
Is this a bug, or should I be approaching the issue differently?

Thanks,
Andy

Hi Andy

I intend to address this in the long-term by having an anonymous user, which can have GrantedAuthority[]s automatically assigned. As such your filter could require ROLE_ANONYMOUS (granted to the anonymous user) and it would work.

In the meantime, this approach is probably best: http://forum.springframework.org/showthread.php?t=11996