I'm implementing an app that uses acegi's securityEnforcementFilter as well as the switchUserProcessingFilter. I lock down an admin directory. However, the admin/j_acegi_switch_user is what I use for the switchUserProcessingFilter and if I type that url directly, it doesn't authorize the user so that it only lets in users with the proper role.
So to be as clear as I can, I have a rule in the filterInvocationInterceptor of:
and the switch_user thing set to:
However a non-admin and non-previous_admin can call that j_acegi_switch_user directly and it even forwards to another admin page.
It doesn't allow them to get to that other admin page directly but it does by means of the j_acegi_switch_user forward.
Anyway, it's an odd problem and I wondered if there was a hole in the acegi stuff for the switch user stuff or if I'm just configuring it incorrectly. I understand that the securityEnforcementFilter needs to be referenced last in the list, but I thought that might be why something might happen - because the switch user filter comes before the securityEnforcementFilter?
By the way, I'm using acegi version 0.9.
Anyway, any thoughts?