In web.xml:

add an ADDITIONAL servlet mapping for your tapestry application to /admin, and add the following:

1. <security-constraint>
2.  <web-resource-collection>
3. <url-pattern>/admin/*</url-pattern>
4.  </web-resource-collection>
5.  <auth-constraint>
6. <ROLE-name>ADMIN</role-name>
7.  </auth-constraint>
8. </security-constraint>

In your base class for protected pages:

public void validate(IRequestCycle cycle) throws RequestCycleException {
boolean isAdmin = getRequestCycle().getRequestContext().getRequest().isUserInRole("ADMIN");
if (!isAdmin) {
// not in right role
throw new PageRedirectException.......
}

}

you can have a number of mappings for the same app-servlet to different URIs, that WAY you can rely a BIT more on the declarative security.

In web.xml:

add an additional servlet mapping for your tapestry application to /admin, and add the following:

In your base class for protected pages:

public void validate(IRequestCycle cycle) throws RequestCycleException {
boolean isAdmin = getRequestCycle().getRequestContext().getRequest().isUserInRole("ADMIN");
if (!isAdmin) {
// not in right role
throw new PageRedirectException.......
}

}

you can have a number of mappings for the same app-servlet to different URIs, that way you can rely a bit more on the declarative security.