diff --git a/scm-webapp/src/main/java/sonia/scm/ScmServletModule.java b/scm-webapp/src/main/java/sonia/scm/ScmServletModule.java
index 0be05e5821..beba3ea066 100644
--- a/scm-webapp/src/main/java/sonia/scm/ScmServletModule.java
+++ b/scm-webapp/src/main/java/sonia/scm/ScmServletModule.java
@@ -44,6 +44,7 @@ import sonia.scm.api.rest.UriExtensionsConfig;
 import sonia.scm.cache.CacheManager;
 import sonia.scm.cache.EhCacheManager;
 import sonia.scm.config.ScmConfiguration;
+import sonia.scm.filter.AdminSecurityFilter;
 import sonia.scm.filter.GZipFilter;
 import sonia.scm.filter.SSLFilter;
 import sonia.scm.filter.SecurityFilter;
@@ -97,9 +98,17 @@ import javax.xml.bind.JAXB;
 public class ScmServletModule extends ServletModule
 {
 
+  /** Field description */
+  public static final String[] PATTERN_ADMIN = new String[] {
+                                                 "/api/rest/groups*",
+          "/api/rest/users*", "/api/rest/plguins*" };
+
   /** Field description */
   public static final String PATTERN_ALL = "/*";
 
+  /** Field description */
+  public static final String PATTERN_CONFIG = "/api/rest/config*";
+
   /** Field description */
   public static final String PATTERN_DEBUG = "/debug.html";
 
@@ -210,6 +219,7 @@ public class ScmServletModule extends ServletModule
     filter(PATTERN_ALL).through(SSLFilter.class);
     filterRegex(RESOURCE_REGEX).through(GZipFilter.class);
     filter(PATTERN_RESTAPI, PATTERN_DEBUG).through(SecurityFilter.class);
+    filter(PATTERN_CONFIG, PATTERN_ADMIN).through(AdminSecurityFilter.class);
 
     // debug servlet
     serve(PATTERN_DEBUG).with(DebugServlet.class);
diff --git a/scm-webapp/src/main/java/sonia/scm/api/rest/resources/ConfigurationResource.java b/scm-webapp/src/main/java/sonia/scm/api/rest/resources/ConfigurationResource.java
index 7846bc21fa..b8b5662317 100644
--- a/scm-webapp/src/main/java/sonia/scm/api/rest/resources/ConfigurationResource.java
+++ b/scm-webapp/src/main/java/sonia/scm/api/rest/resources/ConfigurationResource.java
@@ -99,9 +99,20 @@ public class ConfigurationResource
    */
   @GET
   @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
-  public ScmConfiguration getConfiguration()
+  public Response getConfiguration()
   {
-    return configuration;
+    Response response = null;
+
+    if (SecurityUtil.isAdmin(securityContextProvider))
+    {
+      response = Response.ok(configuration).build();
+    }
+    else
+    {
+      response = Response.status(Response.Status.FORBIDDEN).build();
+    }
+
+    return response;
   }
 
   //~--- set methods ----------------------------------------------------------
diff --git a/scm-webapp/src/main/java/sonia/scm/filter/AdminSecurityFilter.java b/scm-webapp/src/main/java/sonia/scm/filter/AdminSecurityFilter.java
new file mode 100644
index 0000000000..272803d0b2
--- /dev/null
+++ b/scm-webapp/src/main/java/sonia/scm/filter/AdminSecurityFilter.java
@@ -0,0 +1,81 @@
+/**
+ * Copyright (c) 2010, Sebastian Sdorra
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright notice,
+ *    this list of conditions and the following disclaimer in the documentation
+ *    and/or other materials provided with the distribution.
+ * 3. Neither the name of SCM-Manager; nor the names of its
+ *    contributors may be used to endorse or promote products derived from this
+ *    software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ * http://bitbucket.org/sdorra/scm-manager
+ *
+ */
+
+
+
+package sonia.scm.filter;
+
+//~--- non-JDK imports --------------------------------------------------------
+
+import com.google.inject.Inject;
+import com.google.inject.Provider;
+import com.google.inject.Singleton;
+
+import sonia.scm.util.SecurityUtil;
+import sonia.scm.web.security.WebSecurityContext;
+
+/**
+ *
+ * @author Sebastian Sdorra
+ */
+@Singleton
+public class AdminSecurityFilter extends SecurityFilter
+{
+
+  /**
+   * Constructs ...
+   *
+   *
+   * @param securityContextProvider
+   */
+  @Inject
+  public AdminSecurityFilter(
+          Provider<WebSecurityContext> securityContextProvider)
+  {
+    super(securityContextProvider);
+  }
+
+  //~--- get methods ----------------------------------------------------------
+
+  /**
+   * Method description
+   *
+   *
+   * @param securityContext
+   *
+   * @return
+   */
+  @Override
+  protected boolean hasPermission(WebSecurityContext securityContext)
+  {
+    return SecurityUtil.isAdmin(securityContext);
+  }
+}
diff --git a/scm-webapp/src/main/java/sonia/scm/filter/SecurityFilter.java b/scm-webapp/src/main/java/sonia/scm/filter/SecurityFilter.java
index 5bf0cb0a3a..b5d79a4d40 100644
--- a/scm-webapp/src/main/java/sonia/scm/filter/SecurityFilter.java
+++ b/scm-webapp/src/main/java/sonia/scm/filter/SecurityFilter.java
@@ -29,6 +29,8 @@
  *
  */
 
+
+
 package sonia.scm.filter;
 
 //~--- non-JDK imports --------------------------------------------------------
@@ -102,15 +104,19 @@ public class SecurityFilter extends HttpFilter
 
       if (!uri.startsWith(URL_AUTHENTICATION))
       {
-        if (securityContext.isAuthenticated())
+        if (hasPermission(securityContext))
         {
           chain.doFilter(new SecurityHttpServletRequestWrapper(request,
                   securityContext.getUser()), response);
         }
-        else
+        else if (securityContext.isAuthenticated())
         {
           response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
         }
+        else
+        {
+          response.sendError(HttpServletResponse.SC_FORBIDDEN);
+        }
       }
       else
       {
@@ -123,6 +129,21 @@ public class SecurityFilter extends HttpFilter
     }
   }
 
+  //~--- get methods ----------------------------------------------------------
+
+  /**
+   * Method description
+   *
+   *
+   * @param securityContext
+   *
+   * @return
+   */
+  protected boolean hasPermission(WebSecurityContext securityContext)
+  {
+    return securityContext.isAuthenticated();
+  }
+
   //~--- fields ---------------------------------------------------------------
 
   /** Field description */