I have successfully created a custom AccessDecisionVoter class and tied it into my web application through XML.
Now I want this to be called with every page load, to make sure the user is allowed to access that specific page, not just the web site as a whole. It looks like my voter is only getting called when I log in.
How do I get it to be called with every page?
<security:http auto-config="true"
use-expressions="true"
access-decision-manager-ref="accessDecisionManager">
<security:intercept-url pattern="/login" access="permitAll" />
<security:intercept-url pattern="/statics/*" access="permitAll" />
<security:form-login login-page="/login"
authentication-failure-url="/login?error=true"
default-target-url="/index" />
<security:logout invalidate-session="true"
logout-success-url="/loggedout"
logout-url="/logout" />
</security:http>
<bean id="accessDecisionManager"
class="org.springframework.security.access.vote.UnanimousBased">
<property name="decisionVoters">
<list>
<bean class="com.tarigma.gem.security.DBVoter" />
</list>
</property>
</bean>
It will be called every request unless a previous filter in the security chain granted access.
Have you configured Spring as per request validation. Place this filter first in the chain. Most of the times the remember me overrides this. Take a look at what resources are configured to be checked.
You must configure under which uris are you performing the security.
Are you using annotations?
<global-method-security secured-annotations="enabled"access-decision-manager-ref="accessDecisionManager"/>