SEC-1757: Updated tutorial sample to state that listing of accounts is allowed by anyone and to display accounts for the different types of access to posting to Accounts

samples/tutorial/src/main/webapp/WEB-INF/jsp/listAccounts.jsp

@@ -12,6 +12,14 @@
 <div id="content">
 
 <h1>Accounts</h1>
+<p>
+Anyone can view this page, but posting to an Account requires login and must be authorized. Below are some users to try posting to Accounts with.
+</p>
+<ul>
+<li>rod/koala - can post to any Account</li>
+<li>dianne/emu - can post to Accounts as long as the balance remains above the overdraft amount</li>
+<li>scott/wombat - cannot post to any Accounts</li>
+</ul>
 
 <a href="index.jsp">Home</a><br><br>
 

samples/tutorial/src/main/webapp/index.jsp

@@ -18,7 +18,7 @@
 Anyone can view this page.
 </p>
 <p>
-If you're logged in, you can <a href="listAccounts.html">list accounts</a>.
+While anyone can also view the <a href="listAccounts.html">list accounts</a> page, you must be authorized to post to an Account from the list accounts page.
 </p>
 <p>
 Your principal object is....: <%= request.getUserPrincipal() %>