The security tag is defined at the top of the page with a prefix of 'sec'. Then around delete link the sec:authorize tag is configured
to only show the link if the user is in the role 'ROLE_ADMIN'. Now, this doesn't actually stop someone from executing a delete query if they know
the URL. Below, in the PersonService, the @Secured tag is configured to enforce the rule that only an admin can delete a record.
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<%@ taglib prefix="fmt" uri="http://java.sun.com/jsp/jstl/fmt" %>
<%@ taglib prefix="form" uri="http://www.springframework.org/tags/form"%>
<%@ taglib prefix="sec" uri="http://www.springframework.org/security/tags" %>
<h1><fmt:message key="person.search.title"/></h1>
<table class="search">
<tr>
<th><fmt:message key="person.form.firstName"/></th>
<th><fmt:message key="person.form.lastName"/></th>
</tr>
<c:forEach var="person" items="${persons}" varStatus="status">
<tr>
<c:set var="personFormId" value="person${status.index}"/>
<c:url var="editUrl" value="/person/form.html">
<c:param name="id" value="${person.id}" />
</c:url>
<sec:authorize ifAllGranted="ROLE_ADMIN">
<c:url var="deleteUrl" value="/person/delete.html"/>
<form id="${personFormId}" action="${deleteUrl}" method="POST">
<input id="id" name="id" type="hidden" value="${person.id}"/>
</form>
</sec:authorize>
<td>${person.firstName}</td>
<td>${person.lastName}</td>
<td>
<a href='<c:out value="${editUrl}"/>'><fmt:message key="button.edit"/></a>
<sec:authorize ifAllGranted="ROLE_ADMIN">
<a href="javascript:document.forms['${personFormId}'].submit();"><fmt:message key="button.delete"/></a>
</sec:authorize>
</td>
</tr>
</c:forEach>
</table>