Conclusion

Once configured, using the channel security filter is very easy. Simply request pages without regard to the protocol (ie HTTP or HTTPS) or port (eg 80, 8080, 443, 8443 etc). Obviously you'll still need a way of making the initial request (probably via the web.xml <welcome-file> or a well-known home page URL), but once this is done the filter will perform redirects as defined by your application context.

You can also add your own ChannelProcessor implementations to the ChannelDecisionManagerImpl. For example, you might set a HttpSession attribute when a human user is detected via a "enter the contents of this graphic" procedure. Your ChannelProcessor would respond to say REQUIRES_HUMAN_USER configuration attributes and redirect to an appropriate entry point to start the human user validation process if the HttpSession attribute is not currently set.

To decide whether a security check belongs in a ChannelProcessor or an AccessDecisionVoter, remember that the former is designed to handle unauthenticated requests, whilst the latter is designed to handle authenticated requests. The latter therefore has access to the granted authorities of the authenticated principal. In addition, problems detected by a ChannelProcessor will generally cause an HTTP/HTTPS redirection so its requirements can be met, whilst problems detected by an AccessDecisionVoter will ultimately result in an AccessDeniedException (depending on the governing AccessDecisionManager).