我有我的攔截URL的配置一樣的Spring Security 3.1攔截的URL
<security:http use-expressions="true" disable-url-rewriting="true">
<security:intercept-url pattern="/secure/admission/*" access="hasRole('ROLE_ADMISSIONER')" />
<security:intercept-url pattern="/secure/subdean/*" access="hasRole('ROLE_SUBDEAN')" />
<security:intercept-url pattern="/secure/referent/*" access="hasRole('ROLE_REFERENT')" />
<security:intercept-url pattern="/secure/index.xhtml" access="hasRole('ROLE_REFERENT, ROLE_SUBDEAN')" />
<security:intercept-url pattern="/secure/*" access="hasRole('ROLE_OMNI_ADMIN')" />
<security:intercept-url pattern="/**" access="isAuthenticated()" />
但現在我有一個問題,它是可能的存取權限我的應用程序的URL,例如my_application之/ PririzMaven /安全/管理/帶有角色ROLE_ADMISSIONER的updateRole.xhtml,url ..../secure/subdean/*具有相同的角色,等等......但它應該被禁止給這個用戶。
你知道哪裏可能是一個問題嗎?