Multiple Security Rules

I went through the documentation on setting up multiple security rules
but I am still having a problem. If you look at the rule below, I
only want users with the role of Seller to be able to access
SelfService. However, if I log in as a buyer I am still able to access
it. I'm not sure what I'm doing wrong here.

<rules>
  <rule>
        <whitelist>lot\..*,security\..*,main\..*,general\..*,tag
\..*,content\..*,feed\..*,survey\..*,company\..*,civicArena\..*</

        <securelist></securelist>
        <roles>Buyer,Seller</roles>
        <permissions></permissions>
        <redirect>security.Login</redirect>
    </rule>

  <rule>
        <whitelist></whitelist>
        <securelist>^selfservice</securelist>
        <roles>Seller</roles>
        <permissions></permissions>
        <redirect>security.Login</redirect>
    </rule>
</rules>

Who is doing the validation, the interceptor or you use a custom validator?

Luis F. Majano
President
Ortus Solutions, Corp

ColdBox Platform: http://www.coldbox.org
Linked In: http://www.linkedin.com/pub/3/731/483
Blog: http://www.luismajano.com
IECFUG Manager: http://www.iecfug.com