I have a file view.xml where my definitions of views are defined. My final page is constituted by several myFile.jspx files.
If I use , when I have ROLE_USER I can see the form for create, I get the access denied page only if I click in save, because the save method is mapped to POST and the ROLE_USER doesn't have this privilege.
How a can restrict an view by url in my security configuration xml directly? I want to go directly to the access denied page?
By creating a custom filter? I need a little advice
well, if I have the ROLE_USER I want to go to the access denied page if I click in the link create user, but actually, I can see the form for create and only after click in the button save, I go to denied page.
What I am trying to say is lets say you have a controller mapped like this
and this handles rendering the form for create.
and you also have a method like this
and this handles the save action for the create user form.
If you want to both of these to be access denied you want to change this
which only restricts the second to this
which will restrict it regardless of the HTTP method used.
Also another thing to be aware of when you are working on this is that when defining patterns remember that they are evaluated in the order they are defined, therefore more specific patterns should always be higher in the list than less specific patterns. I don't know if this is causing you issues since you just posted the one intercept-url but it is something you should keep in mind.
The annotated methods will only be secured for instances which are defined as Spring beans (in the same application context in which method-security is enabled). If you want to secure instances which are not created by Spring (using the new operator, for example) then you need to use AspectJ.
In your case your controller beans are most likely defined in your servlet-context.xml.