show.jspx - how to I apply Spring Security to the delete icon?

I scaffolded up a web app with Roo 1.2.2, and am attempting to suppress the delete icon normally shown in a list table for an entity. I want to only allow users with an admin role to see the delete link:

Code:

<jsp:root xmlns:c="http://java.sun.com/jsp/jstl/core" xmlns:fn="http://java.sun.com/jsp/jstl/functions" xmlns:util="urn:jsptagdir:/WEB-INF/tags/util" xmlns:form="http://www.springframework.org/tags/form" xmlns:jsp="http://java.sun.com/JSP/Page" xmlns:spring="http://www.springframework.org/tags" xmlns:sec="http://www.springframework.org/security/tags" version="2.0"> <jsp:output omit-xml-declaration="yes" /> <jsp:directive.attribute name="id" type="java.lang.String" required="true" rtexprvalue="true" description="The identifier for this tag (do not change!)" /> <jsp:directive.attribute name="object" type="java.lang.Object" required="true" rtexprvalue="true" description="The form backing object" /> <jsp:directive.attribute name="path" type="java.lang.String" required="true" rtexprvalue="true" description="Specify the URL path" /> <jsp:directive.attribute name="list" type="java.lang.Boolean" required="false" rtexprvalue="true" description="Include 'list' link into table (default true)" /> <jsp:directive.attribute name="create" type="java.lang.Boolean" required="false" rtexprvalue="true" description="Include 'create' link into table (default true)" /> <jsp:directive.attribute name="update" type="java.lang.Boolean" required="false" rtexprvalue="true" description="Include 'update' link into table (default true)" /> <jsp:directive.attribute name="delete" type="java.lang.Boolean" required="false" rtexprvalue="true" description="Include 'delete' link into table (default true)" /> <jsp:directive.attribute name="label" type="java.lang.String" required="false" rtexprvalue="true" description="The label used for this object, will default to a message bundle if not supplied" /> <jsp:directive.attribute name="render" type="java.lang.Boolean" required="false" rtexprvalue="true" description="Indicate if the contents of this tag and all enclosed tags should be rendered (default 'true')" /> <jsp:directive.attribute name="openPane" type="java.lang.Boolean" required="false" rtexprvalue="true" description="Control if the title pane is opened or closed by default (default: true)" /> <jsp:directive.attribute name="z" type="java.lang.String" required="false" description="Used for checking if element has been modified (to recalculate simply provide empty string value)" /> <c:if test="${empty render or render}"> <c:if test="${empty label}"> <spring:message code="label_${fn:toLowerCase(fn:substringAfter(id,'_'))}" var="label" htmlEscape="false" /> <spring:message code="label_${fn:toLowerCase(fn:substringAfter(id,'_'))}" var="label" htmlEscape="false" /> </c:if> <c:if test="${empty list}"> <c:set var="list" value="true" /> </c:if> <c:if test="${empty create}"> <c:set var="create" value="true" /> </c:if> <c:if test="${empty update}"> <c:set var="update" value="true" /> </c:if> <c:if test="${empty delete}"> <c:set var="delete" value="true" /> </c:if> <spring:message var="typeName" code="menu_item_${fn:toLowerCase(fn:split(id,'_')[fn:length(fn:split(id,'_')) - 1])}_new_label" htmlEscape="false" /> <spring:message var="typeNamePlural" code="menu_item_${fn:toLowerCase(fn:split(id,'_')[fn:length(fn:split(id,'_')) - 1])}_list_label" htmlEscape="false" /> <spring:message arguments="${label}" code="entity_show" var="title_msg" htmlEscape="false" /> <util:panel id="${id}" title="${title_msg}" openPane="${openPane}"> <c:choose> <c:when test="${not empty object}"> <jsp:doBody /> <div class="quicklinks"> <span> <c:if test="${delete}"> <spring:url value="${path}/${itemId}" var="delete_form_url" /> <spring:url value="/resources/images/delete.png" var="delete_image_url" /> <sec:authorize ifAllGranted="ROLE_ADMIN"> <form:form action="${delete_form_url}" method="DELETE"> <spring:message arguments="${typeName}" code="entity_delete" var="delete_label" htmlEscape="false" /> <c:set var="delete_confirm_msg"> <spring:escapeBody javaScriptEscape="true"> <spring:message code="entity_delete_confirm" /> </spring:escapeBody> </c:set> <input alt="${fn:escapeXml(delete_label)}" class="image" src="${delete_image_url}" title="${fn:escapeXml(delete_label)}" type="image" value="${fn:escapeXml(delete_label)}" onclick="return confirm('${fn:escapeXml(delete_confirm_msg)}');" /> </form:form> </sec:authorize> </c:if> </span> ...

But, even with the sec:authorize tag surrounding the DELETE form, it still shows up for all users.

Suggestions?

-Jeff

Ok, figured it out. The correct place to modify access to these controls is in /src/main/webapp/WEB-INF/tags/form/fields/table.tagx

-Jeff

Quote:

Originally Posted by JeffH

Ok, figured it out. The correct place to modify access to these controls is in /src/main/webapp/WEB-INF/tags/form/fields/table.tagx

Is a good design pattern to deny operation in server too.
For this, you can use next annotation in Controller or Entity delete method:

@Secured({"ROLE_NAME1","ROLE_NAME2"})

Regards !

Quote:

Originally Posted by mmartinez

Is a good design pattern to deny operation in server too.
For this, you can use next annotation in Controller or Entity delete method:

@Secured({"ROLE_NAME1","ROLE_NAME2"})

Regards !

Yes, true, but I don't want the user to even get that far. I'm trying to hide things he doesn't have access to, and I also need to secure the URLs so he can't just paste them in to get around the hidden controls. I'll probably have to use @Secured on the controllers for this, as it's difficult to come up with intercept-url expressions for some of the CRUD URLs generated by the scaffolding engine.

-Jeff