CAS filter check ticket deadlock?

hi there, i try to config the CAS module following the instruction of acegi-security-0.6.1\samples\contacts\etc\ssl\howto.txt, everything looks fine. request is redirected to the https://localhost:8443/cas/login, but when i filll the user/pass and click 'submit', the browser is keep trying
https://localhost:8443/cas/login?ser...security_check
again and again, and do not return back to the origin requested page. it seems like some deadlock happen while validating the ticket.

any hints ?

i use cas-server-2.0.12 with tomcat bindle, acegi-security-0.6.1.

-- three acegi filter in web.xml ---

<filter>
<filter-name>Acegi Security System for Spring Auto Integration Filter</filter-name>
<filter-class>net.sf.acegisecurity.util.FilterToBeanProxy</filter-class>
<init-param>
<param-name>targetClass</param-name>
<param-value>net.sf.acegisecurity.ui.AutoIntegrationFilte r</param-value>
</init-param>
</filter>

<filter>
<filter-name>Acegi HTTP Request Security Filter</filter-name>
<filter-class>net.sf.acegisecurity.util.FilterToBeanProxy</filter-class>
<init-param>
<param-name>targetClass</param-name>
<param-value>net.sf.acegisecurity.intercept.web.SecurityE nforcementFilter</param-value>
</init-param>
</filter>

<filter>
<filter-name>Acegi CAS Processing Filter</filter-name>
<filter-class>net.sf.acegisecurity.util.FilterToBeanProxy</filter-class>
<init-param>
<param-name>targetClass</param-name>
<param-value>net.sf.acegisecurity.ui.cas.CasProcessingFil ter</param-value>
</init-param>
</filter>

<filter-mapping>
<filter-name>Acegi Security System for Spring Auto Integration Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

<filter-mapping>
<filter-name>Acegi HTTP Request Security Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

<filter-mapping>
<filter-name>Acegi CAS Processing Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

---applicationContext.xml--

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" "http://www.springframework.org/dtd/spring-beans.dtd">

<beans>

<!-- =================== SECURITY BEANS YOU SHOULD CHANGE ================== -->

<!-- If you replace this bean with say JdbcDaoImpl, just ensure your replacement
has the same bean id (authenticationDao) -->
<bean id="authenticationDao" class="net.sf.acegisecurity.providers.dao.memory.I nMemoryDaoImpl">
<property name="userMap">
<value>
marissa=koala,ROLE_TELLER,ROLE_SUPERVISOR
iist=iist,ROLE_TELLER
scott=wombat,ROLE_TELLER
peter=opal,disabled,ROLE_TELLER
</value>
</property>
</bean>

<!-- Note the order that entries are placed against the objectDefinitionSource is critical.
The FilterSecurityInterceptor will work from the top of the list down to the FIRST pattern that matches the request URL.
Accordingly, you should place MOST SPECIFIC (ie a/b/c/d.*) expressions first, with LEAST SPECIFIC (ie a/.*) expressions last -->
<bean id="filterInvocationInterceptor" class="net.sf.acegisecurity.intercept.web.FilterSe curityInterceptor">
<property name="authenticationManager"><ref local="authenticationManager"/></property>
<property name="accessDecisionManager"><ref local="accessDecisionManager"/></property>
<property name="objectDefinitionSource">
<value>
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/**=ROLE_TELLER
</value>
</property>
</bean>


<!-- ~~~~~~~~~~~~~~~~~~~~ AUTHENTICATION DEFINITIONS ~~~~~~~~~~~~~~~~~~ -->
<!-- the CAS provider -->
<bean id="casAuthenticationProvider" class="net.sf.acegisecurity.providers.cas.CasAuthe nticationProvider">
<property name="casAuthoritiesPopulator"><ref local="casAuthoritiesPopulator"/></property>
<property name="casProxyDecider"><ref local="casProxyDecider"/></property>
<property name="ticketValidator"><ref local="casProxyTicketValidator"/></property>
<property name="statelessTicketCache"><ref local="statelessTicketCache"/></property>
<property name="key"><value>my_password_for_this_auth_provid er_only</value></property>
</bean>

<bean id="casProxyTicketValidator" class="net.sf.acegisecurity.providers.cas.ticketva lidator.CasProxyTicketValidator">
<property name="casValidate"><value>https://localhost:8443/cas/proxyValidate</value></property>
<property name="serviceProperties"><ref local="serviceProperties"/></property>
<!-- <property name="trustStore"><value>/some/path/to/your/lib/security/cacerts</value></property> -->
</bean>

<bean id="statelessTicketCache" class="net.sf.acegisecurity.providers.cas.cache.Eh CacheBasedTicketCache">
<property name="minutesToIdle"><value>20</value></property>
</bean>

<bean id="casAuthoritiesPopulator" class="net.sf.acegisecurity.providers.cas.populato r.DaoCasAuthoritiesPopulator">
<property name="authenticationDao"><ref local="authenticationDao"/></property>
</bean>

<bean id="casProxyDecider" class="net.sf.acegisecurity.providers.cas.proxy.Re jectProxyTickets">
</bean>

<bean id="serviceProperties" class="net.sf.acegisecurity.ui.cas.ServiceProperti es">
<property name="service"><value>https://localhost:8443/ideam/j_acegi_cas_security_check</value></property>
<property name="sendRenew"><value>false</value></property>
</bean>

<bean id="authenticationManager" class="net.sf.acegisecurity.providers.ProviderMana ger">
<property name="providers">
<list>
<ref local="casAuthenticationProvider"/>
</list>
</property>
</bean>

<bean id="roleVoter" class="net.sf.acegisecurity.vote.RoleVoter"/>

<bean id="accessDecisionManager" class="net.sf.acegisecurity.vote.AffirmativeBased" >
<property name="allowIfAllAbstainDecisions"><value>false</value></property>
<property name="decisionVoters">
<list>
<ref local="roleVoter"/>
</list>
</property>
</bean>

<bean id="autoIntegrationFilter" class="net.sf.acegisecurity.ui.AutoIntegrationFilt er" />

<!-- enable CAS -->
<bean id="casProcessingFilter" class="net.sf.acegisecurity.ui.cas.CasProcessingFi lter">
<property name="authenticationManager"><ref local="authenticationManager"/></property>
<property name="authenticationFailureUrl"><value>/casfailed.jsp</value></property>
<property name="defaultTargetUrl"><value>/</value></property>
<property name="filterProcessesUrl"><value>/j_acegi_cas_security_check</value></property>
</bean>

<bean id="securityEnforcementFilter" class="net.sf.acegisecurity.intercept.web.Security EnforcementFilter">
<property name="filterSecurityInterceptor"><ref local="filterInvocationInterceptor"/></property>
<property name="authenticationEntryPoint"><ref local="casProcessingFilterEntryPoint"/></property>
</bean>

<bean id="casProcessingFilterEntryPoint" class="net.sf.acegisecurity.ui.cas.CasProcessingFi lterEntryPoint">
<property name="loginUrl"><value>https://localhost:8443/cas/login</value></property>
<property name="serviceProperties"><ref local="serviceProperties"/></property>
</bean>

</beans>
<bean id="casProcessingFilterEntryPoint" class="net.sf.acegisecurity.ui.cas.CasProcessingFi lterEntryPoint">
<property name="loginUrl"><value>https://localhost:8443/cas/login</value></property>
<property name="serviceProperties"><ref local="serviceProperties"/></property>
</bean>

</beans> :?: :cry: :cry: :cry:

Filters appear to be in the wrong order. Ensure your filter-mappings are:

1. CAS Processing Filter
2. Auto Integration Filter
3. HTTP Request Security Filter

many thx