best practices for web app (including URL routing) ?

[nefilim]

hi

i was wondering about best practices for a typical web app with the following sample constraints:

• anyone can browse the landing page, populated with a dynamic selection of new user generated content
• anyone can view a user's public generated content (for instance, a blog)
• only authenticated users can mutate their content (post a new blog entry, upload a photo, edit a blog entry)

here is one approach in terms of URL routing

landing page: / permitAll this makes it hard to start from denyAll
blog for a user (GET a blog/list of posts): /u/<username>/blog permitAll
user post new blog (GET the form): /u/<username>/blog/new hasRole('ROLE_BLOG_OWNER') how is this secured additionally to the specific user only and not just any authenticated principal?
user posts new blog entry (POST the data): /u/<username>/blog/ how is this limited to the specific owner user? it's already declared as permitAll earlier to allow a list, one could change this to post /u/<username>/blog/new but not quite restful? alternatively, authentication checks will need to implemented programmatically in the Controller implementation

any thoughts/tips appreciated.

thanks
peter