1

Say I have a profile page, which has an 'edit your profile' link. The profile page can be viewed by all the users, but the edit link button should be visible only for a logged in user viewing his profile, not another user's profile.

As of now I have this code, 

<sec:authorize access="isAuthenticated()">
<sec:authentication property="principal.username" var="principal"/>
<c:if test="${profile_username eq principal}">   <!--profile_username is the username of the viewed profile  -->
<!-- edit your profile link -->
</c:if>
</sec:authorize>

Is there a cleaner way a doing this?? May be a one liner like

<sec:authorize access="isTheSamePerson()"/>.

Thanks in advance. :)

shazinltc
  • 3,616
  • 7
  • 34
  • 49
  • You shouldn't need the sec:authorize tag, if the user isn't logged in, the principal object will be null, and the c:if test will fail. Not exactly what you wanted, but it would clean it up a little. – dardo Jan 22 '13 at 15:21
  • nice catch. But, that won't work without an sec:auth tag. It will throw an exception. – shazinltc Jan 22 '13 at 16:30

1 Answers1

1

You want to take into account actual domain object. There is special ACL feature in Spring Security for these purposes. You can set up it and use corresponding accesscontrollist tag:

<sec:accesscontrollist hasPermission="2" domainObject="${profile}">
    <!-- Your edit link goes here -->
    <!-- "2" means write permission -->
    <!-- Be sure that you use Spring Security >= 3.1.2. This syntax may not works for smaller versions due to bugs  -->
</sec:accesscontrollist>

It may be an overkill if you have only one situation like this.

Option number 2. You can define a custom web security expression:

<sec:authorize access="isOwner(#profile)"/>.

It is not so simple too.

I think a custom JSP tag (tag file) will be the most simple solution:

<customtags:authorizeeditaccount account="${profile}"/>

This tag will do the same things. It will look much better.

Community
  • 1
  • 1
Maksym Demidas
  • 7,707
  • 1
  • 29
  • 36