The ‘CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON’ parameter to FilterSecurityInterceptor means exactly that – URLs are converted to lower case for comparison with the patterns that you define.
If you use CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON, then make sure all the URL patterns you specify are also in lower case, otherwise you will never get a match. This seems obvious, but it took me several hours of trial and error before I spotted what was not working in my configuration.
For example, take this snippet of configuration:
<code> <bean id="filterInvocationInterceptor" class="org.acegisecurity.intercept.web.FilterSecurityInterceptor"> <property name="authenticationManager"> <ref bean="authenticationManager"/></property> <property name="accessDecisionManager"> <ref bean="accessDecisionManager"/></property> <property name="objectDefinitionSource"> <value> CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON PATTERN_TYPE_APACHE_ANT /acegilogin.jsp*=ROLE_ANONYMOUS, ROLE_ADMIN /=ROLE_ANONYMOUS, ROLE_ADMIN /index.jsp=ROLE_ANONYMOUS, ROLE_ADMIN /item/show/**=ROLE_ANONYMOUS, ROLE_ADMIN /item/list/**=ROLE_ANONYMOUS, ROLE_ADMIN /item/doSomeOtherThing=ROLE_ANONYMOUS, ROLE_ADMIN ... </bean> </code>
The URL ‘/item/doSomeOtherThing’ is never going to be matched, since the incoming URLs for comparison are converted to lowercase by the CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON instruction.