i read this thread:
i feel extending acegi class such as AbstractProcessingFilter is not easy to understand, hard to learn, and possibly a bad design.
i feel it may be better if AuthenticationProcessingFilter has properties that allows a user to add beans for after successful or failed authentication. this means Acegi needs to define interfaces for plugged-in beans. it is easy to make mistakes to directly extend AuthenticationProcessingFilter.
i hope to see the same mechanism for after successful/failed authorization.