Aug 26th, 2011, 03:48 PM
best practices for web app (including URL routing) ?
i was wondering about best practices for a typical web app with the following sample constraints:
- anyone can browse the landing page, populated with a dynamic selection of new user generated content
- anyone can view a user's public generated content (for instance, a blog)
- only authenticated users can mutate their content (post a new blog entry, upload a photo, edit a blog entry)
here is one approach in terms of URL routing
landing page: / permitAll this makes it hard to start from denyAll
blog for a user (GET a blog/list of posts): /u/<username>/blog permitAll
user post new blog (GET the form): /u/<username>/blog/new hasRole('ROLE_BLOG_OWNER') how is this secured additionally to the specific user only and not just any authenticated principal?
user posts new blog entry (POST the data): /u/<username>/blog/ how is this limited to the specific owner user? it's already declared as permitAll earlier to allow a list, one could change this to post /u/<username>/blog/new but not quite restful? alternatively, authentication checks will need to implemented programmatically in the Controller implementation
any thoughts/tips appreciated.
Last edited by nefilim; Aug 26th, 2011 at 05:06 PM.