SpringSecurity3.1.3 permission to verify with arguments to attack the system to bypass the problem

I made a springsecurity3.1.3, but SS on the URL blocking does not work with the Senate , so long as the original request requires ADMIN privilege to bring back some of the parameters , you can bypass the authentication, access to the system resources. Such as:
/ a.jap ADMIN rights to the resource to be accessed , however, the user can use the / a.jsp? name = aa permission to bypass the authentication of the SS ,
this problem how to solve it ?
------ Solution ---------------------------------------- ----
anti-hotlinking feature. Filter url bar
------ Solution ------------------------------------- -------
Do not put the user's permissions inside the session ?

------ Solution ------------------------------------ --------
do not know is how your interceptor configuration



that way if it is above , so below in relation to


- ----- Solution --------------------------------------------
the url into the database , through the url access privileges
------ Solution ------------------------- -------------------
I think the direct use a filter can handle ! (Userid, roleid, sessionid, url, url encoding the best you can get information about other )
------ Solution -------------------- ------------------------
assuming intercept / user the following :

  <security:intercept-url pattern="/user/**"  access="hasRole('ADMIN')" /> 
  
  

------ For reference only ----------------------------------- ----
I also encountered the same problem
resources are placed in the database does not support the database / user / ** This fuzzy matching