Spring security problem

[sigi77]

Hy guys!
Im very new to Roo, so maybe i will have some basic questions.

I have a simple problem, i want to protect some views from different Role-s.
for example: a user could only access create photo section, and an admin could list them.
this code doesnt work:

Code:

<intercept-url pattern="/pphotoes/create" access="hasRole('ROLE_USER')" />
		<intercept-url pattern="/pphotoes/list" access="hasRole('ROLE_ADMIN')" />

i tried list, list.jspx non of them are working.

here is the complete applicationContext-security.xml file:

Code:

?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
	xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schem...-beans-3.1.xsd
        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
	<!-- HTTP security configurations -->
	<http auto-config="true" use-expressions="true">
		<form-login login-processing-url="/resources/j_spring_security_check" 
			login-page="/login" authentication-failure-url="/login?login_error=t" />  
		<logout logout-url="/resources/j_spring_security_logout" />
		<!-- Configure these elements to secure URIs in your application -->
		<intercept-url pattern="/pcustomers/**" access="hasRole('ROLE_ADMIN')" />
		
		<intercept-url pattern="/pphotoes/**" access="hasRole('ROLE_ADMIN')" />
		<intercept-url pattern="/pphotoes/create" access="hasRole('ROLE_USER')" />
		
		<intercept-url pattern="/porders/create.jspx" access="hasRole('ROLE_USER')" />
		<intercept-url pattern="/porders/list.jspx" access="hasRole('ROLE_ADMIN')" />
		
		<intercept-url pattern="/member/**" access="isAuthenticated()" />
		<intercept-url pattern="/resources/**" access="permitAll" />
		
	
		<intercept-url pattern="/login" access="permitAll" />
		
		<intercept-url pattern="/*" access="isAuthenticated()" />
		
		
	</http>

	<beans:bean name="AuthenticationController"
		class="phstore.web.AuthController">
	</beans:bean>

	<!-- Configure Authentication mechanism -->
	<authentication-manager alias="authenticationManager">
		<authentication-provider ref="AuthenticationController" />
	</authentication-manager>
</beans:beans>

User login is working, and pcustomers views are hidden from User role.
How to manage to hide some views from different roles?

[sigi77]

OK, i found an interesting example in Spring cook book. (On page 325 according to original page numbers.)
There is a section named: Configuring web request security.

I tried the example, without LDAP backend.
I posted my question on stack overflow, please check (something is wrong with maven build):
http://stackoverflow.com/a/11475003/911862

[sigi77]

OK. this can be easy done by editing the menu.jspx.

Code:

<div xmlns:jsp="http://java.sun.com/JSP/Page" xmlns:menu="urn:jsptagdir:/WEB-INF/tags/menu" xmlns:security="http://www.springframework.org/security/tags" xmlns:spring="http://www.springframework.org/tags" id="menu" version="2.0">

Code:

<security:authorize ifAnyGranted="ROLE_ADMIN"> .... </security:authorize>

[krimple]

Your security:authorize is absolutely required - the isAuthorized tag in Spring's security taglib is NOT security, but convenience. They could still figure out the link and call it.

Have you tried to use <security:intercept-url /> and use the method="POST/PUT/GET/DELETE" attribute too? Wouldn't that work for different users needing different action permissions against the same URL?

Ken