I modified my security.xml this way:
<?xml version="1.0" encoding="UTF-8"?>
<bean:beans xmlns:bean="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<http pattern="/resources/**" security="none"/>
<http use-expressions="true" entry-point-ref="casEntryPoint">
<intercept-url pattern="/"
access="permitAll"/>
<intercept-url pattern="/login/*"
access="permitAll"/>
<intercept-url pattern="/logout"
access="permitAll"/>
<intercept-url pattern="/errors/**"
access="permitAll"/>
<intercept-url pattern="/events/new"
access="hasRole('ROLE_PERMISSIONS_CREATE_EVENTS')"/>
<intercept-url pattern="/admin/**"
access="hasRole('ROLE_ADMIN')"/>
<intercept-url pattern="/**"
access="hasRole('ROLE_USER')"/>
<access-denied-handler error-page="/errors/403"/>
<custom-filter ref="casFilter" position="CAS_FILTER"/>
<logout logout-url="/logout"
logout-success-url="/login/form?logout"/>
</http>
<global-method-security pre-post-annotations="enabled"/>
<authentication-manager alias="authenticationManager">
<authentication-provider ref="casAuthProvider" />
</authentication-manager>
</bean:beans>
When user with the role ROLE_PERMISSIONS_CREATE_EVENTS try to access /events/new
Spring security denies the access:
2013-11-06 12:33:32,850 [http-apr-8080-exec-7] DEBUG org.springframework.security.web.util.AntPathRequestMatcher - Checking match of request : '/events/form'; against '/resources/**'
2013-11-06 12:33:32,851 [http-apr-8080-exec-7] DEBUG org.springframework.security.web.FilterChainProxy - /events/form at position 1 of 9 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2013-11-06 12:33:32,851 [http-apr-8080-exec-7] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository - Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'org.springframework.security.core.context.SecurityContextImpl@e4412558: Authentication: org.springframework.security.cas.authentication.CasAuthenticationToken@e4412558: Principal: org.springframework.security.core.userdetails.User@7796388a: Username: ifridman; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_PERMISSIONS_ALL_EVENTS; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@3bcc: RemoteIpAddress: 192.168.108.195; SessionId: null; Granted Authorities: ROLE_PERMISSIONS_ALL_EVENTS Assertion: org.jasig.cas.client.validation.AssertionImpl@c6ba147 Credentials (Service/Proxy Ticket): ST-23-SqDujXNnf1vNPEc9bRqO-cas'
2013-11-06 12:33:32,851 [http-apr-8080-exec-7] DEBUG org.springframework.security.web.FilterChainProxy - /events/form at position 2 of 9 in additional filter chain; firing Filter: 'LogoutFilter'
2013-11-06 12:33:32,851 [http-apr-8080-exec-7] DEBUG org.springframework.security.web.FilterChainProxy - /events/form at position 3 of 9 in additional filter chain; firing Filter: 'CasAuthenticationFilter'
2013-11-06 12:33:32,851 [http-apr-8080-exec-7] DEBUG org.springframework.security.cas.web.CasAuthenticationFilter - serviceTicketRequest = false
2013-11-06 12:33:32,851 [http-apr-8080-exec-7] DEBUG org.springframework.security.cas.web.CasAuthenticationFilter - proxyReceptorConfigured = false
2013-11-06 12:33:32,851 [http-apr-8080-exec-7] DEBUG org.springframework.security.cas.web.CasAuthenticationFilter - proxyReceptorRequest = false
2013-11-06 12:33:32,851 [http-apr-8080-exec-7] DEBUG org.springframework.security.cas.web.CasAuthenticationFilter - proxyTicketRequest = false
2013-11-06 12:33:32,851 [http-apr-8080-exec-7] DEBUG org.springframework.security.cas.web.CasAuthenticationFilter - requiresAuthentication = false
2013-11-06 12:33:32,851 [http-apr-8080-exec-7] DEBUG org.springframework.security.web.FilterChainProxy - /events/form at position 4 of 9 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2013-11-06 12:33:32,851 [http-apr-8080-exec-7] DEBUG org.springframework.security.web.FilterChainProxy - /events/form at position 5 of 9 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2013-11-06 12:33:32,851 [http-apr-8080-exec-7] DEBUG org.springframework.security.web.FilterChainProxy - /events/form at position 6 of 9 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2013-11-06 12:33:32,851 [http-apr-8080-exec-7] DEBUG org.springframework.security.web.authentication.AnonymousAuthenticationFilter - SecurityContextHolder not populated with anonymous token, as it already contained: 'org.springframework.security.cas.authentication.CasAuthenticationToken@e4412558: Principal: org.springframework.security.core.userdetails.User@7796388a: Username: ifridman; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_PERMISSIONS_ALL_EVENTS; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@3bcc: RemoteIpAddress: 192.168.108.195; SessionId: null; Granted Authorities: ROLE_PERMISSIONS_ALL_EVENTS Assertion: org.jasig.cas.client.validation.AssertionImpl@c6ba147 Credentials (Service/Proxy Ticket): ST-23-SqDujXNnf1vNPEc9bRqO-cas'
2013-11-06 12:33:32,851 [http-apr-8080-exec-7] DEBUG org.springframework.security.web.FilterChainProxy - /events/form at position 7 of 9 in additional filter chain; firing Filter: 'SessionManagementFilter'
2013-11-06 12:33:32,852 [http-apr-8080-exec-7] DEBUG org.springframework.security.web.FilterChainProxy - /events/form at position 8 of 9 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2013-11-06 12:33:32,852 [http-apr-8080-exec-7] DEBUG org.springframework.security.web.FilterChainProxy - /events/form at position 9 of 9 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2013-11-06 12:33:32,852 [http-apr-8080-exec-7] DEBUG org.springframework.security.web.util.AntPathRequestMatcher - Checking match of request : '/events/form'; against '/'
2013-11-06 12:33:32,852 [http-apr-8080-exec-7] DEBUG org.springframework.security.web.util.AntPathRequestMatcher - Checking match of request : '/events/form'; against '/login/*'
2013-11-06 12:33:32,852 [http-apr-8080-exec-7] DEBUG org.springframework.security.web.util.AntPathRequestMatcher - Checking match of request : '/events/form'; against '/logout'
2013-11-06 12:33:32,852 [http-apr-8080-exec-7] DEBUG org.springframework.security.web.util.AntPathRequestMatcher - Checking match of request : '/events/form'; against '/errors/**'
2013-11-06 12:33:32,852 [http-apr-8080-exec-7] DEBUG org.springframework.security.web.util.AntPathRequestMatcher - Checking match of request : '/events/form'; against '/events/new'
2013-11-06 12:33:32,852 [http-apr-8080-exec-7] DEBUG org.springframework.security.web.util.AntPathRequestMatcher - Checking match of request : '/events/form'; against '/admin/**'
2013-11-06 12:33:32,852 [http-apr-8080-exec-7] DEBUG org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Secure object: FilterInvocation: URL: /events/form; Attributes: [hasRole('ROLE_USER')]
2013-11-06 12:33:32,852 [http-apr-8080-exec-7] DEBUG org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Previously Authenticated: org.springframework.security.cas.authentication.CasAuthenticationToken@e4412558: Principal: org.springframework.security.core.userdetails.User@7796388a: Username: ifridman; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_PERMISSIONS_ALL_EVENTS; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@3bcc: RemoteIpAddress: 192.168.108.195; SessionId: null; Granted Authorities: ROLE_PERMISSIONS_ALL_EVENTS Assertion: org.jasig.cas.client.validation.AssertionImpl@c6ba147 Credentials (Service/Proxy Ticket): ST-23-SqDujXNnf1vNPEc9bRqO-cas
2013-11-06 12:33:32,852 [http-apr-8080-exec-7] DEBUG org.springframework.security.access.vote.AffirmativeBased - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@33439c61, returned: -1
2013-11-06 12:33:32,853 [http-apr-8080-exec-7] DEBUG org.springframework.security.web.access.ExceptionTranslationFilter - Access is denied (user is not anonymous); delegating to AccessDeniedHandler
org.springframework.security.access.AccessDeniedException: Access is denied
...
2013-11-06 12:33:32,859 [http-apr-8080-exec-7] DEBUG org.springframework.security.web.context.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
2013-11-06 12:33:33,018 [http-apr-8080-exec-8] DEBUG org.springframework.security.web.util.AntPathRequestMatcher - Checking match of request : '/favicon.ico'; against '/resources/**'
2013-11-06 12:33:33,018 [http-apr-8080-exec-8] DEBUG org.springframework.security.web.FilterChainProxy - /favicon.ico at position 1 of 9 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2013-11-06 12:33:33,018 [http-apr-8080-exec-8] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository - Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'org.springframework.security.core.context.SecurityContextImpl@e4412558: Authentication: org.springframework.security.cas.authentication.CasAuthenticationToken@e4412558: Principal: org.springframework.security.core.userdetails.User@7796388a: Username: ifridman; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_PERMISSIONS_ALL_EVENTS; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@3bcc: RemoteIpAddress: 192.168.108.195; SessionId: null; Granted Authorities: ROLE_PERMISSIONS_ALL_EVENTS Assertion: org.jasig.cas.client.validation.AssertionImpl@c6ba147 Credentials (Service/Proxy Ticket): ST-23-SqDujXNnf1vNPEc9bRqO-cas'
2013-11-06 12:33:33,018 [http-apr-8080-exec-8] DEBUG org.springframework.security.web.FilterChainProxy - /favicon.ico at position 2 of 9 in additional filter chain; firing Filter: 'LogoutFilter'
2013-11-06 12:33:33,018 [http-apr-8080-exec-8] DEBUG org.springframework.security.web.FilterChainProxy - /favicon.ico at position 3 of 9 in additional filter chain; firing Filter: 'CasAuthenticationFilter'
2013-11-06 12:33:33,019 [http-apr-8080-exec-8] DEBUG org.springframework.security.cas.web.CasAuthenticationFilter - serviceTicketRequest = false
2013-11-06 12:33:33,019 [http-apr-8080-exec-8] DEBUG org.springframework.security.cas.web.CasAuthenticationFilter - proxyReceptorConfigured = false
2013-11-06 12:33:33,019 [http-apr-8080-exec-8] DEBUG org.springframework.security.cas.web.CasAuthenticationFilter - proxyReceptorRequest = false
2013-11-06 12:33:33,019 [http-apr-8080-exec-8] DEBUG org.springframework.security.cas.web.CasAuthenticationFilter - proxyTicketRequest = false
2013-11-06 12:33:33,019 [http-apr-8080-exec-8] DEBUG org.springframework.security.cas.web.CasAuthenticationFilter - requiresAuthentication = false
2013-11-06 12:33:33,019 [http-apr-8080-exec-8] DEBUG org.springframework.security.web.FilterChainProxy - /favicon.ico at position 4 of 9 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2013-11-06 12:33:33,019 [http-apr-8080-exec-8] DEBUG org.springframework.security.web.FilterChainProxy - /favicon.ico at position 5 of 9 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2013-11-06 12:33:33,019 [http-apr-8080-exec-8] DEBUG org.springframework.security.web.FilterChainProxy - /favicon.ico at position 6 of 9 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2013-11-06 12:33:33,019 [http-apr-8080-exec-8] DEBUG org.springframework.security.web.authentication.AnonymousAuthenticationFilter - SecurityContextHolder not populated with anonymous token, as it already contained: 'org.springframework.security.cas.authentication.CasAuthenticationToken@e4412558: Principal: org.springframework.security.core.userdetails.User@7796388a: Username: ifridman; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_PERMISSIONS_ALL_EVENTS; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@3bcc: RemoteIpAddress: 192.168.108.195; SessionId: null; Granted Authorities: ROLE_PERMISSIONS_ALL_EVENTS Assertion: org.jasig.cas.client.validation.AssertionImpl@c6ba147 Credentials (Service/Proxy Ticket): ST-23-SqDujXNnf1vNPEc9bRqO-cas'
2013-11-06 12:33:33,019 [http-apr-8080-exec-8] DEBUG org.springframework.security.web.FilterChainProxy - /favicon.ico at position 7 of 9 in additional filter chain; firing Filter: 'SessionManagementFilter'
2013-11-06 12:33:33,021 [http-apr-8080-exec-8] DEBUG org.springframework.security.web.FilterChainProxy - /favicon.ico at position 8 of 9 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2013-11-06 12:33:33,021 [http-apr-8080-exec-8] DEBUG org.springframework.security.web.FilterChainProxy - /favicon.ico at position 9 of 9 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2013-11-06 12:33:33,021 [http-apr-8080-exec-8] DEBUG org.springframework.security.web.util.AntPathRequestMatcher - Checking match of request : '/favicon.ico'; against '/'
2013-11-06 12:33:33,021 [http-apr-8080-exec-8] DEBUG org.springframework.security.web.util.AntPathRequestMatcher - Checking match of request : '/favicon.ico'; against '/login/*'
2013-11-06 12:33:33,021 [http-apr-8080-exec-8] DEBUG org.springframework.security.web.util.AntPathRequestMatcher - Checking match of request : '/favicon.ico'; against '/logout'
2013-11-06 12:33:33,021 [http-apr-8080-exec-8] DEBUG org.springframework.security.web.util.AntPathRequestMatcher - Checking match of request : '/favicon.ico'; against '/errors/**'
2013-11-06 12:33:33,021 [http-apr-8080-exec-8] DEBUG org.springframework.security.web.util.AntPathRequestMatcher - Checking match of request : '/favicon.ico'; against '/events/new'
2013-11-06 12:33:33,021 [http-apr-8080-exec-8] DEBUG org.springframework.security.web.util.AntPathRequestMatcher - Checking match of request : '/favicon.ico'; against '/admin/**'
2013-11-06 12:33:33,021 [http-apr-8080-exec-8] DEBUG org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Secure object: FilterInvocation: URL: /favicon.ico; Attributes: [hasRole('ROLE_USER')]
2013-11-06 12:33:33,021 [http-apr-8080-exec-8] DEBUG org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Previously Authenticated: org.springframework.security.cas.authentication.CasAuthenticationToken@e4412558: Principal: org.springframework.security.core.userdetails.User@7796388a: Username: ifridman; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_PERMISSIONS_ALL_EVENTS; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@3bcc: RemoteIpAddress: 192.168.108.195; SessionId: null; Granted Authorities: ROLE_PERMISSIONS_ALL_EVENTS Assertion: org.jasig.cas.client.validation.AssertionImpl@c6ba147 Credentials (Service/Proxy Ticket): ST-23-SqDujXNnf1vNPEc9bRqO-cas
2013-11-06 12:33:33,021 [http-apr-8080-exec-8] DEBUG org.springframework.security.access.vote.AffirmativeBased - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@33439c61, returned: -1
2013-11-06 12:33:33,021 [http-apr-8080-exec-8] DEBUG org.springframework.security.web.access.ExceptionTranslationFilter - Access is denied (user is not anonymous); delegating to AccessDeniedHandler
org.springframework.security.access.AccessDeniedException: Access is denied
...
Any idea? Thanks, ray.