Unfortunately this version of the spec didn't managed to implement the authorization part and basically only deals with authentication.
However the Servlet spec has since the beginning the security-constraint element in the web.xml deployment descriptor. This is the only standard way to restrict role access to pages.
Where restricing based on roles, note that there are two special built-in ones, "*" and "**":
- * means any authenticated user which has at least one role, whatever it is, is granted access.
- ** means any autenticated user, even users without roles.
Guillermo González de Agüero
El mié., 9 de agosto de 2017 21:51, Saeed <sinaisix@...
Hi. I've been looking at the test examples and so far I'm able to follow them. However I'm at a loss about how to declare a specific set of say JSF pages as protected.
In Shiro, I can declare in the shiro.ini file that /foo/* is protected so only logged in users with certain roles can access it.
I'm not sure if I've seen such with JSec yet. Again pardon me if I miss the obvious.
Thanks in advance