a bit confused here.
if the user has granted authority of ROLE_APP only he can't access main. is this the default behaviour? or should i add ROLE_ADMIN to the user such that in order to access /secure/main he has to have the granted roles of both ROLE_APP and ROLE_ADMIN?
thanks in advance!