I had this exact problem. The reason turned out was that the authorization filter was not setting the the url. To fix this I overrode the SecurityFilterChainFactory service:
In your app module do: public static void bind(ServiceBinder binder) { //override binder.bind(SecurityFilterChainFactory.class, YourVersion.class).withId("YourVersion"); } @Contribute(ServiceOverride.class) public static void overrideSecurityFilterChainFactory(MappedConfiguration<Class<?>, Object> cfg, @Local SecurityFilterChainFactory sfcf) { cfg.add(SecurityFilterChainFactory.class, sfcf); } Then just extend shiro's auth filter like: @EagerLoad public class YourVersion extends SecurityFilterChainFactoryImpl { public YourVersion(PipelineBuilder builder, Logger logger, @Inject @Symbol(SecuritySymbols.SUCCESS_URL) String successUrl, @Inject @Symbol(SecuritySymbols.LOGIN_URL) String loginUrl, @Inject @Symbol(SecuritySymbols.UNAUTHORIZED_URL) String unauthorizedUrl) { super(builder, logger, successUrl, loginUrl, unauthorizedUrl); } @Override public RolesAuthorizationFilter roles() { RolesAuthorizationFilter r = super.roles(); r.setUnauthorizedUrl(AccessControlFilter.UNAUTHORIZED_URL); //the key setter that for some reaosn wasn't set return r; } } -- View this message in context: http://tapestry.1045711.n5.nabble.com/tynamo-tapestry-security-0-4-0-role-based-url-peimission-questions-tp4738124p4739125.html Sent from the Tapestry - User mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org