Announcement Announcement Module
Collapse
No announcement yet.
show.jspx - how to I apply Spring Security to the delete icon? Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • show.jspx - how to I apply Spring Security to the delete icon?

    I scaffolded up a web app with Roo 1.2.2, and am attempting to suppress the delete icon normally shown in a list table for an entity. I want to only allow users with an admin role to see the delete link:

    Code:
    <jsp:root xmlns:c="http://java.sun.com/jsp/jstl/core" xmlns:fn="http://java.sun.com/jsp/jstl/functions" xmlns:util="urn:jsptagdir:/WEB-INF/tags/util" xmlns:form="http://www.springframework.org/tags/form" xmlns:jsp="http://java.sun.com/JSP/Page" xmlns:spring="http://www.springframework.org/tags" xmlns:sec="http://www.springframework.org/security/tags" version="2.0">
      <jsp:output omit-xml-declaration="yes" />
    
      <jsp:directive.attribute name="id" type="java.lang.String" required="true" rtexprvalue="true" description="The identifier for this tag (do not change!)" />
      <jsp:directive.attribute name="object" type="java.lang.Object" required="true" rtexprvalue="true" description="The form backing object" />
      <jsp:directive.attribute name="path" type="java.lang.String" required="true" rtexprvalue="true" description="Specify the URL path" />
      <jsp:directive.attribute name="list" type="java.lang.Boolean" required="false" rtexprvalue="true" description="Include 'list' link into table (default true)" />
      <jsp:directive.attribute name="create" type="java.lang.Boolean" required="false" rtexprvalue="true" description="Include 'create' link into table (default true)" />
      <jsp:directive.attribute name="update" type="java.lang.Boolean" required="false" rtexprvalue="true" description="Include 'update' link into table (default true)" />
      <jsp:directive.attribute name="delete" type="java.lang.Boolean" required="false" rtexprvalue="true" description="Include 'delete' link into table (default true)" />
      <jsp:directive.attribute name="label" type="java.lang.String" required="false" rtexprvalue="true" description="The label used for this object, will default to a message bundle if not supplied" />
      <jsp:directive.attribute name="render" type="java.lang.Boolean" required="false" rtexprvalue="true" description="Indicate if the contents of this tag and all enclosed tags should be rendered (default 'true')" />
      <jsp:directive.attribute name="openPane" type="java.lang.Boolean" required="false" rtexprvalue="true" description="Control if the title pane is opened or closed by default (default: true)" />
      <jsp:directive.attribute name="z" type="java.lang.String" required="false" description="Used for checking if element has been modified (to recalculate simply provide empty string value)" />
    
      <c:if test="${empty render or render}">
        <c:if test="${empty label}">
          <spring:message code="label_${fn:toLowerCase(fn:substringAfter(id,'_'))}" var="label" htmlEscape="false" />
          <spring:message code="label_${fn:toLowerCase(fn:substringAfter(id,'_'))}" var="label" htmlEscape="false" />
        </c:if>
    
        <c:if test="${empty list}">
          <c:set var="list" value="true" />
        </c:if>
    
        <c:if test="${empty create}">
          <c:set var="create" value="true" />
        </c:if>
    
        <c:if test="${empty update}">
          <c:set var="update" value="true" />
        </c:if>
    
        <c:if test="${empty delete}">
          <c:set var="delete" value="true" />
        </c:if>
    
        <spring:message var="typeName" code="menu_item_${fn:toLowerCase(fn:split(id,'_')[fn:length(fn:split(id,'_')) - 1])}_new_label" htmlEscape="false" />
        <spring:message var="typeNamePlural" code="menu_item_${fn:toLowerCase(fn:split(id,'_')[fn:length(fn:split(id,'_')) - 1])}_list_label" htmlEscape="false" />
    
        <spring:message arguments="${label}" code="entity_show" var="title_msg" htmlEscape="false" />
        <util:panel id="${id}" title="${title_msg}" openPane="${openPane}">
          <c:choose>
            <c:when test="${not empty object}">
              <jsp:doBody />
              <div class="quicklinks">
                <span>
                  <c:if test="${delete}">
                    <spring:url value="${path}/${itemId}" var="delete_form_url" />
                    <spring:url value="/resources/images/delete.png" var="delete_image_url" />
                    <sec:authorize ifAllGranted="ROLE_ADMIN">
                    <form:form action="${delete_form_url}" method="DELETE">
                      <spring:message arguments="${typeName}" code="entity_delete" var="delete_label" htmlEscape="false" />
                      <c:set var="delete_confirm_msg">
                        <spring:escapeBody javaScriptEscape="true">
                          <spring:message code="entity_delete_confirm" />
                        </spring:escapeBody>
                      </c:set>
                      <input alt="${fn:escapeXml(delete_label)}" class="image" src="${delete_image_url}" title="${fn:escapeXml(delete_label)}" type="image" value="${fn:escapeXml(delete_label)}" onclick="return confirm('${fn:escapeXml(delete_confirm_msg)}');" />
                    </form:form>
                    </sec:authorize>
                  </c:if>
                </span>
    
    ...
    But, even with the sec:authorize tag surrounding the DELETE form, it still shows up for all users.

    Suggestions?

    -Jeff

  • #2
    Ok, figured it out. The correct place to modify access to these controls is in /src/main/webapp/WEB-INF/tags/form/fields/table.tagx

    -Jeff

    Comment


    • #3
      Originally posted by JeffH View Post
      Ok, figured it out. The correct place to modify access to these controls is in /src/main/webapp/WEB-INF/tags/form/fields/table.tagx
      Is a good design pattern to deny operation in server too.
      For this, you can use next annotation in Controller or Entity delete method:

      @Secured({"ROLE_NAME1","ROLE_NAME2"})

      Regards !

      Comment


      • #4
        Originally posted by mmartinez View Post
        Is a good design pattern to deny operation in server too.
        For this, you can use next annotation in Controller or Entity delete method:

        @Secured({"ROLE_NAME1","ROLE_NAME2"})

        Regards !
        Yes, true, but I don't want the user to even get that far. I'm trying to hide things he doesn't have access to, and I also need to secure the URLs so he can't just paste them in to get around the hidden controls. I'll probably have to use @Secured on the controllers for this, as it's difficult to come up with intercept-url expressions for some of the CRUD URLs generated by the scaffolding engine.

        -Jeff

        Comment

        Working...
        X