The Administration GUI can be accessed from the /weave/admin.html url once the Weave instance is running.
To secure access to the GUI you need to edit the security.xml file and add three entries to the list of paths that need to be secure.
These three entries need to be added to the filterInvocationInterceptor.
In a default Weave installation there is only one entry in this list:
/**=IS_AUTHENTICATED_ANONYMOUSLY
To secure the administration GUI you need to include the three new entries along with the existing one.
/admin.html=ROLE_ADMIN
/admin/**=ROLE_ADMIN
/services/admin/**=ROLE_ADMIN
Note that ROLE_ADMIN may need to change depending upon how you've updated the authentication in the rest of the security.xml file.
The role represents a group that the user must belong to before they can access the Administration GUI. For example, if you're using the default users.properties file then the following entries will grant access to Bob and Ted, but not Alice
bob=password,ROLE_ADMIN
ted=password,ROLE_ADMIN,ROLE_USER,ROLE_GIS,ROLE_PLANNING
alice=password,ROLE_USER,ROLE_GIS,ROLE_PLANNING
If you're using LDAP, Active Directory or some other authentication mechanism then the role you need to set will be based on the groups the user is granted based on those authentication sources. These roles are the same ones that you would use when creating an ACL within Weave itself.