I have a Jakarta EE10 application running in Wildfly 30. In the web.xml I define a security-constraint:
<security-constraint>
<web-resource-collection>
<web-resource-name>AccountManager</web-resource-name>
<url-pattern>/pages/person/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>AccountManager</role-name>
</auth-constraint>
</security-constraint>
In my software I made a <h:commandLink> with an action that results in /pages/person/change.xhtml. A user who has no role AccountManager can get that page. In the url-bar in the browser is the previous url shown, strange, but that is normal with Jakarta Faces. How can I prevent this?
I should make the <h:commandLink> only rendered for an AccountManager, but I hoped that the security-constraint would catch that link.
If the user enters the url for pagers/person/change.xhtml in the url-bar, he receives a decent 403 (this is how it should work).