=== modified file 'dhis-2/dhis-web/dhis-web-commons/src/main/java/org/hisp/dhis/security/vote/LogicalOrAccessDecisionManager.java'
--- dhis-2/dhis-web/dhis-web-commons/src/main/java/org/hisp/dhis/security/vote/LogicalOrAccessDecisionManager.java	2011-12-26 10:07:59 +0000
+++ dhis-2/dhis-web/dhis-web-commons/src/main/java/org/hisp/dhis/security/vote/LogicalOrAccessDecisionManager.java	2012-03-07 12:44:54 +0000
@@ -27,10 +27,6 @@
  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 
-import java.util.Collection;
-import java.util.Collections;
-import java.util.List;
-
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.springframework.security.access.AccessDecisionManager;
@@ -39,13 +35,17 @@
 import org.springframework.security.authentication.InsufficientAuthenticationException;
 import org.springframework.security.core.Authentication;
 
+import java.util.Collection;
+import java.util.Collections;
+import java.util.List;
+
 /**
  * AccessDecisionManager which delegates to other AccessDecisionManagers in a
  * logical or fashion. Delegation is stopped at the first positive answer from
  * the delegates, where the order of execution is defined by the list of
  * AccessDecisionManagers. So if the first AccessDecisionManager grants access
- * for a specific target, no other AccessDecisionManager is questioned. 
- * 
+ * for a specific target, no other AccessDecisionManager is questioned.
+ *
  * @author Torgeir Lorange Ostby
  * @version $Id: LogicalOrAccessDecisionManager.java 6335 2008-11-20 11:11:26Z larshelg $
  */
@@ -74,21 +74,24 @@
 
         for ( AccessDecisionManager accessDecisionManager : accessDecisionManagers )
         {
-            try
-            {
-                accessDecisionManager.decide( authentication, object, configAttributes );
-
-                LOG.debug( "ACCESS GRANTED [" + object.toString() + "]" );
-
-                return;
-            }
-            catch ( AccessDeniedException e )
-            {
-                ade = e;
-            }
-            catch ( InsufficientAuthenticationException e )
-            {
-                iae = e;
+            // we can't assume that all decision managers can support the same type, so we need to check for
+            // every request.
+            if ( accessDecisionManager.supports( object.getClass() ) )
+            {
+                try
+                {
+                    accessDecisionManager.decide( authentication, object, configAttributes );
+
+                    LOG.debug( "ACCESS GRANTED [" + object.toString() + "]" );
+
+                    return;
+                } catch ( AccessDeniedException e )
+                {
+                    ade = e;
+                } catch ( InsufficientAuthenticationException e )
+                {
+                    iae = e;
+                }
             }
         }