If you're using the login page to get the users to login, as opposed to using Windows integrated authentication, you can force the user to have to login before they can do anything.
By default an anonymous user (one that hasn't logged in yet) can see a list of clients that are available, and from there they can login with the login button, but by using the changes listed below the user is forced to login before they can perform any operations at all.
To make the change you need to change the objectDefinitionSource in the following section in security.xml
<bean id="filterInvocationInterceptor" class="org.acegisecurity.intercept.web.FilterSecurityInterceptor"> <property name="authenticationManager" ref="authenticationManager"/> <property name="accessDecisionManager"> <bean class="org.acegisecurity.vote.AffirmativeBased"> <property name="allowIfAllAbstainDecisions" value="false"/> <property name="decisionVoters"> <list> <bean class="org.acegisecurity.vote.RoleVoter"/> <bean class="org.acegisecurity.vote.AuthenticatedVoter"/> </list> </property> </bean> </property> <property name="objectDefinitionSource"> <value> CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON PATTERN_TYPE_APACHE_ANT /**=IS_AUTHENTICATED_ANONYMOUSLY </value> </property> </bean>
To force authentication the objectDefinitionSource should be changed to:
<property name="objectDefinitionSource"> <value> CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON PATTERN_TYPE_APACHE_ANT /login.*=IS_AUTHENTICATED_ANONYMOUSLY /login/**=IS_AUTHENTICATED_ANONYMOUSLY /**=IS_AUTHENTICATED_FULLY </value> </property>
This allows the resources that the user needs to login to be available to anyone, but requires the user to be full authenticated before they can access anything else.