Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Let’s say I have users and articles.
Anonymous can list and read articles.
Only registered and logged user can create articles.
User can edit only own articles.
And, of course, admin can do anything.
I’ve looked at spring security, but didn’t found a way to do that. My app don’t need roles, and ACL will be too “heavy” for that.
Maybe I should implement my own security?
You’re right, ACL would be too much for the task.
You can use Spring Security’s authorize tag in JSP, which provides access to the logged in user via the
principalobject. Example to limit access to editing an article to the user with a given username:Note that SOME_PRIVILEGE_OR_ROLE could be some role like ‘LOGGED_IN_USER’, but could also rather specify a certain privilege, e.g. ‘READ_ARTICLE’ or ‘UPDATE_ARTICLE’. Spring Security is flexible here. Whatever you choose, it needs to be in the GrantedAuthorities collection of your user object.
Note also that you can implement your own user object, adding further info to what the UserDetails interface provides, e.g. comparing the user’s id rather than the username.
Finally, note that you need a recent version of Spring Security (>=3.1) for the Spring EL to work as in the example.