The security tag is defined at the top of the page with a prefix of 'sec'. Then around delete link the sec:authorize tag is configured
to only show the link if the user is in the role 'ROLE_ADMIN'. Now, this doesn't actually stop someone from executing a delete query if they know
the URL. Below, in the PersonDao
, the @Secured
tag is configured to enforce the rule that only an admin can delete a record.
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%> <%@ taglib prefix="fmt" uri="http://java.sun.com/jsp/jstl/fmt" %> <%@ taglib prefix="form" uri="http://www.springframework.org/tags/form"%> <%@ taglib prefix="sec" uri="http://www.springframework.org/security/tags" %> <h1><fmt:message key="person.search.title"/></h1> <table class="search"> <tr> <th><fmt:message key="person.form.firstName"/></th> <th><fmt:message key="person.form.lastName"/></th> </tr> <c:forEach var="person" items="${persons}" varStatus="status"> <tr> <c:set var="personFormId" value="person${status.index}"/> <c:url var="editUrl" value="/person/form.html"> <c:param name="id" value="${person.id}" /> </c:url> <sec:authorize ifAllGranted="ROLE_ADMIN"> <c:url var="deleteUrl" value="/person/delete.html"/> <form id="${personFormId}" action="${deleteUrl}" method="POST"> <input id="id" name="id" type="hidden" value="${person.id}"/> </form> </sec:authorize> <td>${person.firstName}</td> <td>${person.lastName}</td> <td> <a href='<c:out value="${editUrl}"/>'><fmt:message key="button.edit"/></a> <sec:authorize ifAllGranted="ROLE_ADMIN"> <a href="javascript:document.forms['${personFormId}'].submit();"><fmt:message key="button.delete"/></a> </sec:authorize> </td> </tr> </c:forEach> </table>