posted 16 years ago
In my experience, declarative security only works for the most simple uses cases. In all non-trivial applications I've found it much too limiting. It's not realistically possible (or desirable) to differentiate rights and privileges by URL. In many cases, having more (or different) rights means being able to view more (or different) data, not being able to access additional URLs (although that, too, can happen).