Home/ Questions/Q 6607065
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-25T19:27:46+00:00

I use Spring and Spring Security 3 at my application. All my clients side

  • 0

I use Spring and Spring Security 3 at my application. All my clients side are static HTML files. I have a navigation bar that includes buttons like:

  • List
  • Edit
  • Delete
  • Update

When a user clicks any of them another page loads at bottom. Users have roles at my application. Some users do not have edit and delete authorization, while others do. That buttons should be visible to users which have the authorization. If a user doesn’t have edit the correct permission he/she must not see the edit button. I have the buttons defined in an HTML file: navigation.html. I figured out that: there will be many navigation.html files. One of them includes all buttons(for admin) one of them just includes list button. If a user requests that navigation.html I want to send the correct one. So I can have that ability:

<logout logout-url="/j_spring_security_logout" logout-success-url="/login.html"/>

similar to that user will request that file from an URL(as like /navigation). There will be a controller to handle it so will return any of that navigation files.

Does that design sound correct? If so, how can I implement that? Any other simple solutions are welcome I am new to Spring and Spring Security.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    For general Spring Security use, you don’t need to write your own code to enable authorization. I generally configure Spring Security in XML to control access at a gross level to various resources based on Roles. Then, I annotate the controllers and/or handler methods to restrict more precisely.

    Example:

    <?xml version="1.0" encoding="UTF-8"?>

<beans:beans 
    xmlns:security="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
                    http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">

    <security:global-method-security secured-annotations="enabled">
    </security:global-method-security>

    <security:http auto-config="true" disable-url-rewriting="true">
       <security:intercept-url pattern="/*.do" access="ROLE_USER" />
       <security:intercept-url pattern="/index.jsp" access="ROLE_USER" />
       <security:intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
       <security:intercept-url pattern="/login.jsp" filters="none" />
       <security:form-login login-page="/login.jsp" />
       <security:logout />
    </security:http>

    <security:authentication-manager>
        <security:authentication-provider>
            <security:password-encoder hash="md5" />
            <security:jdbc-user-service data-source-ref="my-ds"/>
        </security:authentication-provider>
    </security:authentication-manager>

</beans:beans>

    And then in the Controller:

    @Secured({"ROLE_SPECIAL_USER"})
@RequestMapping("/somespecial.do")

    Within a JSP:

    <%@ taglib prefix="authz" uri="http://www.springframework.org/security/tags" %>
<authz:authorize ifAnyGranted="ROLE_SPECIAL_USER">
   ...some special JSP code...
</authz:authorize>
    • 0