On Nov 21, 2007 11:33 AM, Campa <[EMAIL PROTECTED]> wrote: > > Hi, > > I'm using appfuse 2.0 with struts 2. > I cannot understand because requesting a url like > http://...8080/patient/list.html, logged with a user with only "ROLE_USER" > the security layer give me an ExceptionPage ( > org.acegisecurity.AccessDeniedException: Access is denied ). It not block > user with ADMIN_ROLE.
Taking a flyer here, but I am assuming that /patient/list.html calls UserManager.getUsers() somewhere in the background? If so you will need to allow all users access to that method (changes need to be applied to methodSecurityInterceptor towards the bottom of security.xml). One note: allowing access to the list of users in the application could be a security risk. Mike. > > My security.xml file reporting the follow ANT_PATHs: > <bean id="filterInvocationInterceptor" > class="org.acegisecurity.intercept.web.FilterSecurityInterceptor"> > <property name="authenticationManager" > ref="authenticationManager"/> > <property name="accessDecisionManager" > ref="accessDecisionManager"/> > <property name="objectDefinitionSource"> > <value> > PATTERN_TYPE_APACHE_ANT > /admin/*=ROLE_ADMIN > /passwordHint.html*=ROLE_ANONYMOUS,ROLE_ADMIN,ROLE_USER > /signup.html*=ROLE_ANONYMOUS,ROLE_ADMIN,ROLE_USER > /a4j.res/*.html*=ROLE_ANONYMOUS,ROLE_ADMIN,ROLE_USER <!-- > APF-737, OK to remove if not using JSF --> > /**/*.html*=ROLE_ADMIN,ROLE_USER > /patient/list.html*=ROLE_ADMIN,ROLE_USER > </value> > </property> > </bean> > > Can some one help me ? > Thanks > Stefano > > > -- > View this message in context: > http://www.nabble.com/Security-configuration-tf4849572s2369.html#a13875515 > Sent from the AppFuse - User mailing list archive at Nabble.com. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > >
