This week's giveaway is in the Android forum.
We're giving away four copies of Android Security Essentials Live Lessons and have Godfrey Nolan on-line!
See this thread for details.
The moose likes Spring and the fly likes Spring Security Rule Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login

Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Frameworks » Spring
Bookmark "Spring Security Rule" Watch "Spring Security Rule" New topic

Spring Security Rule

pamir sonmez
Ranch Hand

Joined: May 31, 2010
Posts: 46
In my security.xml file , I implemented the access rights of admin/** page like that;

Then, In my strut.xml file, I have an action mapping like that;

I am able to call the myAction without logging in to the system
and at the result of the action I am forwarded to the admin.jsp page which I dont have required priveleges, However since action redirected me to that page, I am able to see the content of the page.

Since url is not changed after the action is called, security is not restricting the page show.
How can I handle this situation?
If security handle the forwarding, wouldnt it be better ?
Peter Mularien
Ranch Hand

Joined: Sep 06, 2007
Posts: 84
Sounds like you may not have the relevant servlet filters in the right order. Can you post your web.xml fille as well?

Author, Spring Security 3 (the Book), Packt Publishing, 2010
Jackie Li
Ranch Hand

Joined: Sep 12, 2010
Posts: 30
have you configured your ExceptionTranslationFilter, or in other ways, have you ever used your authorization settings?
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
subject: Spring Security Rule
Similar Threads
Interceptor issue in Struts 2
struts2 login interceptor not finding session attribute of user details.
How would i call MyAction from pages/user/admin.jsp?
Struts 2 file upload tag type allowed error
Scope interceptor: scope.type = end not doing any cleanup.