I am trying to to setup a security policy in Spring such that anyone can read any entities created in roo but only the admin user (specified in the applicationContext-security.xml) can create/update/delete. It seems to me I should be able to achieve my goal by customizing applicationContext-security.xml but I can’t figure out a way. I thought of using intercept-url like:

<intercept-url pattern="/anyEntity/*?form" access="hasRole('ROLE_ADMIN')" />

but this config does not cover DELETE because it is a hidden field in POST (according to the doc, post method is supported but there is no doc on how to specify a hidden field value in the intercept-url tag)

Another way would be to use @secured on entity setter methods. I currently rely on roo to generate the getters/setters so I would like to avoid using it if possible

I can also write a custom controller to do the filtering I suppose. But seems to me I should be able to just customize the configuration. I must be missing something obvious because a public read-only policy should be a very common strategy.