The fact that /aDmin, /Admin, /ADmin etc all work is exactly the problem. That makes the whole url protection mechanism useless and even worse it's not obvious it's not going to work. I just followed the example and it seemed to work.
It's not really a big deal to add the annotations but in my case I've got more admin pages than non admin pages and if I forget one then that page is not protected. Plus one is compile time and the other is run time so I can't do something like [urls] /hibernate/** = authc, roles[developer] without recompiling the hibernate code. Again I realize this is all a feature, but when all the features are combined the result does not seem so good. >From looking at the code it seems Shiro is using the ServletRequest to get the URL. That seems reasonable. Perhaps the solution is to create a TapestryIniShiroFilter and do a case insensitive match there. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org
