Home/ Questions/Q 9197703
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-17T22:07:57+00:00

Say I have a profile page, which has an ‘edit your profile’ link. The

  • 0

Say I have a profile page, which has an ‘edit your profile’ link. The profile page can be viewed by all the users, but the edit link button should be visible only for a logged in user viewing his profile, not another user’s profile.

As of now I have this code, 

<sec:authorize access="isAuthenticated()">
<sec:authentication property="principal.username" var="principal"/>
<c:if test="${profile_username eq principal}">   <!--profile_username is the username of the viewed profile  -->
<!-- edit your profile link -->
</c:if>
</sec:authorize>

Is there a cleaner way a doing this?? May be a one liner like

<sec:authorize access="isTheSamePerson()"/>.

Thanks in advance. 🙂

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You want to take into account actual domain object. There is special ACL feature in Spring Security for these purposes. You can set up it and use corresponding accesscontrollist tag:

    <sec:accesscontrollist hasPermission="2" domainObject="${profile}">
    <!-- Your edit link goes here -->
    <!-- "2" means write permission -->
    <!-- Be sure that you use Spring Security >= 3.1.2. This syntax may not works for smaller versions due to bugs  -->
</sec:accesscontrollist>

    It may be an overkill if you have only one situation like this.

    Option number 2. You can define a custom web security expression:

    <sec:authorize access="isOwner(#profile)"/>.

    It is not so simple too.

    I think a custom JSP tag (tag file) will be the most simple solution:

    <customtags:authorizeeditaccount account="${profile}"/>

    This tag will do the same things. It will look much better.

    • 0