<!-- Uncomment before going to production as it displays nicer error messages to users -->
<property name="exceptionPageName" value="error"/>
> I think the users page is not secured in the tapestry-appfuse package. If I am login as the "tomcat" user and change the url to users.html, I still get the list of all users! If I try the same in the struts-appfuse package, I get the "Access Denied" page like it should be! I could not find a difference in the ApplicationContext-security.xml. As per this configuration the getUsers method should be only accessible for a "admin" user but surprisingly it also accessible for the user tomcat who is not a admin!