This week's giveaway is in the EJB and other Java EE Technologies forum. We're giving away four copies of EJB 3 in Action and have Debu Panda, Reza Rahman, Ryan Cuprak, and Michael Remijan on-line! See this thread for details.
I have a file view.xml where my definitions of views are defined. My final page is constituted by several myFile.jspx files.
If I use , when I have ROLE_USER I can see the form for create, I get the access denied page only if I click in save, because the save method is mapped to POST and the ROLE_USER doesn't have this privilege.
How a can restrict an view by url in my security configuration xml directly? I want to go directly to the access denied page?
By creating a custom filter? I need a little advice
well, if I have the ROLE_USER I want to go to the access denied page if I click in the link create user, but actually, I can see the form for create and only after click in the button save, I go to denied page.
What I am trying to say is lets say you have a controller mapped like this
and this handles rendering the form for create.
and you also have a method like this
and this handles the save action for the create user form.
If you want to both of these to be access denied you want to change this
which only restricts the second to this
which will restrict it regardless of the HTTP method used.
Also another thing to be aware of when you are working on this is that when defining patterns remember that they are evaluated in the order they are defined, therefore more specific patterns should always be higher in the list than less specific patterns. I don't know if this is causing you issues since you just posted the one intercept-url but it is something you should keep in mind.
Joined: Jan 17, 2012
Thanks for your response!
Now I have added in my applicationContect-security.xml and in my controller:
I have the ROLE_USER and the annotation @PreAuthorize has no effect? I missing something?
The annotated methods will only be secured for instances which are defined as Spring beans (in the same application context in which method-security is enabled). If you want to secure instances which are not created by Spring (using the new operator, for example) then you need to use AspectJ.
In your case your controller beans are most likely defined in your servlet-context.xml.
Hope this gives you enough to figure it out.
Joined: Jan 17, 2012
I see, it' better to put the annotations in the interfaces.
Just one more thing..... If I want to block an url like that: .
The url is mapped with this method in my controller