Role-based authentication does not work

Question

I am applyng spring security on my struts2 application I can use the interceptor-url to provide access to main urls but not their subsets.

for example I need to give access to users with customer role to only view the books, so I use the following

    <http auto-config="true" access-denied-page="/not.jsp" use-expressions="true">
      ....
    <intercept-url pattern="/Books/view*" access="hasRole('ROLE_CUSTOMER')"/>

So I suppose user should be able to access to localhost:8888/Books/view.action but they do not, and it redirects them to not.jsp page (access-denied-page)

I have tried all the following but neither worked

    <intercept-url pattern="/Books/view.action" access="hasRole('ROLE_CUSTOMER')"/>
    <intercept-url pattern="/Books/view**" access="hasRole('ROLE_CUSTOMER')"/>
    <intercept-url pattern="/Books/view.action*" access="hasRole('ROLE_CUSTOMER')"/>

The only one that works is the following one that gives access to all the actions (edit,delete and view) which I do not want.

     <intercept-url pattern="/Books/*" access="hasRole('ROLE_CUSTOMER')" /> 

Answer 1

check the previous mappings. Do not forget that if you provide access to other roles for the same url before it reaches to this line it will reject ROLE_CUSTOMER access to the address, so use other expressions to give access to all roles that need to have access to that url all at once.

Answer 2

Regex " * " means any phrase. So what I could think is you don't have any URL pattern /Books/view or with more characters after that word. Also regex "/Books/view*" and "/Books/view" doesn't make any different. They are same.

But "/Books/*" this URL pattern is different from others. It matches any URL pattern request a resource on /Books/ level.

What I can say is recheck with url patterns you have. Can't help with out knowing them.