Security based on urls
I have a question here for url based security
I have a user A who can only view /secure/*.jsp
I have a user B who can view /admin/*.jsp
Now, when I am logged in as A and change the url (by typing in the address bar) to /admin/*jsp, A is also able to see the jsp.
How can I restrict this?
I would have a look at the examples that ship with Acegi, they show how to do this.
I was workin with the examles (contacts) and it allows this.
I mean I am able to see the admin permissions page, if I change the url manually, User is not able to see the link to go to it, though
I guess the link is protected but the URL isn't. If you add the URL and the ROLE to the code below it should fix it. You might want to JIRA this if you think it's a problem.
<bean id="filterInvocationInterceptor" class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
<property name="authenticationManager"><ref bean="authenticationManager"/></property>
<property name="accessDecisionManager"><ref local="httpRequestAccessDecisionManager"/></property>