I implemented spring security in a controller method.
Below is my spring security.xml
->
<security:http auto-config="false" entry-point-ref="authenticationEntryPoint" use-expressions="true"> <custom-filter ref="authenticationFilter" position="FORM_LOGIN_FILTER" /> <security:intercept-url access="hasAnyRole('ROLE_ADMIN','ROLE_USER')" pattern="/common/admin/**" /> <security:intercept-url pattern="/common/accounting/**" access="hasRole('ROLE_USER')" /> <security:logout logout-url="/j_spring_security_logout" invalidate-session="true" logout-success-url="/login"/> </security:http>
Below is my controller
@Secured({"ROLE_ADMIN"}) @RequestMapping(value = "/common/admin/addAdmin", method = RequestMethod.GET) public String add(ModelMap map) { map.addAttribute(new Administrator()); return "/common/admin/addAdmin"; } @Secured({"ROLE_ADMIN"}) @RequestMapping(value = "/common/admin/addAdmin", method = RequestMethod.POST) public String processadd( @ModelAttribute("administrator") Administrator administrator) { this.administratorManager.addAdmin(administrator); return "/common/admin/success"; }
I allow url / common / admin / ** for the admin and user roles. But I make some restrictions in the admin controller. when a user logs into / common / admin / * as a user role, he can, but he can also enter a method that is only for the administrator role.
How can I solve it?
Thanks!
source share