Yes, as Jeremy states, if they have both roles, they can visit both URLs as you've defined the filters in that example.
But I would find it kinda strange if a student was also an admin (or vice versa) for a university site ;). It might be possible of course, but I would reckon that, if your last filter definition isn't sufficient, permissions might be a better solution to this particular problem - they allow you to be very targeted in who can do what. If roles are too coarse grained for certain edge requirements, that's where Permissions can come in and save some headaches. Cheers, Les On Wed, Apr 1, 2009 at 2:51 PM, Jeremy Haile <[email protected]> wrote: > Yes - if the user had both roles, they would be able to access both of the > URLs. > > > > On Apr 1, 2009, at 2:48 PM, Bruce Phillips wrote: > > >> Thanks for the quick reply. >> >> We may need to use permissions as you outlined. >> >> However, if a user has both the role of student and of admin, can that >> user then access the student URLs and the admin URLs: >> >> >> [urls] >> /students/** = authc, roles[student] >> /admin/** = authc, roles[admin] >> >> I don't have this web application setup yet so I cannot test it myself >> right now. We are trying to determine how best to configure the security >> given our requirements. >> >> Bruce >> >> -- >> View this message in context: >> http://n2.nabble.com/Allowing-Multiple-Roles-To-Access-A-URL-tp2570736p2570909.html >> Sent from the JSecurity User mailing list archive at Nabble.com. >> >> >
