Security based on urls

[vinaya]

Hi,

I have a question here for url based security

I have a user A who can only view /secure/*.jsp
I have a user B who can view /admin/*.jsp

Now, when I am logged in as A and change the url (by typing in the address bar) to /admin/*jsp, A is also able to see the jsp.
How can I restrict this?

[karldmoore]

I would have a look at the examples that ship with Acegi, they show how to do this.

[vinaya]

Hi karl,

I was workin with the examles (contacts) and it allows this.
I mean I am able to see the admin permissions page, if I change the url manually, User is not able to see the link to go to it, though


Thanks
Vinaya

[karldmoore]

I guess the link is protected but the URL isn't. If you add the URL and the ROLE to the code below it should fix it. You might want to JIRA this if you think it's a problem.

Code:

   <bean id="filterInvocationInterceptor" class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
      <property name="authenticationManager"><ref bean="authenticationManager"/></property>
      <property name="accessDecisionManager"><ref local="httpRequestAccessDecisionManager"/></property>
      <property name="objectDefinitionSource">
         <value>
			    CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
			    PATTERN_TYPE_APACHE_ANT
			    /index.jsp=ROLE_ANONYMOUS,ROLE_USER
			    /hello.htm=ROLE_ANONYMOUS,ROLE_USER
			    /logoff.jsp=ROLE_ANONYMOUS,ROLE_USER
			    /switchuser.jsp=ROLE_SUPERVISOR
			    /j_acegi_switch_user=ROLE_SUPERVISOR
			    /acegilogin.jsp*=ROLE_ANONYMOUS,ROLE_USER
				/**=ROLE_USER
         </value>
      </property>
   </bean>