Request ID based access

[roused]

Hi everyone

Now i been googling and looking through the small tutorials... even went on a springsource course, but something seems to elude me.

Spring security is role based that much i got so far, but i wonder why i cant find any examples of a classic order based solution, where i can only see my own orders and not everyone elses.

What i need is a solution so if its order 112, i can see it but if its order 113 only john smith can see it. But i cant seem to find any guidance on this. I dunno if im intended to change the role of a user based on request parameters, and there must be something i have missed so i really hope someone can help a noob like me.

How do i ensure that orderdetails.php?id=112 i can only see and orderdetails.php?id=113 only john smith can see ?

I thank you all in advance for your patience and guidance

Kind regards
Jesper Lind

[Marten Deinum]

Check for ACL (Access Control List) you could also create a query which takes into account the current user (I assume that the user is connected to the order). Or check in the controller if the user is the same or has a certain role...

[Rob Winch]

To expand upon Marten's response I would look at the contact sample application for a demonstration of ACLs in action. Another good resource is Mike's presentation from Spring One.