show.jspx - how to I apply Spring Security to the delete icon?

[JeffH]

I scaffolded up a web app with Roo 1.2.2, and am attempting to suppress the delete icon normally shown in a list table for an entity. I want to only allow users with an admin role to see the delete link:

Code:

<jsp:root xmlns:c="http://java.sun.com/jsp/jstl/core" xmlns:fn="http://java.sun.com/jsp/jstl/functions" xmlns:util="urn:jsptagdir:/WEB-INF/tags/util" xmlns:form="http://www.springframework.org/tags/form" xmlns:jsp="http://java.sun.com/JSP/Page" xmlns:spring="http://www.springframework.org/tags" xmlns:sec="http://www.springframework.org/security/tags" version="2.0">
  <jsp:output omit-xml-declaration="yes" />

  <jsp:directive.attribute name="id" type="java.lang.String" required="true" rtexprvalue="true" description="The identifier for this tag (do not change!)" />
  <jsp:directive.attribute name="object" type="java.lang.Object" required="true" rtexprvalue="true" description="The form backing object" />
  <jsp:directive.attribute name="path" type="java.lang.String" required="true" rtexprvalue="true" description="Specify the URL path" />
  <jsp:directive.attribute name="list" type="java.lang.Boolean" required="false" rtexprvalue="true" description="Include 'list' link into table (default true)" />
  <jsp:directive.attribute name="create" type="java.lang.Boolean" required="false" rtexprvalue="true" description="Include 'create' link into table (default true)" />
  <jsp:directive.attribute name="update" type="java.lang.Boolean" required="false" rtexprvalue="true" description="Include 'update' link into table (default true)" />
  <jsp:directive.attribute name="delete" type="java.lang.Boolean" required="false" rtexprvalue="true" description="Include 'delete' link into table (default true)" />
  <jsp:directive.attribute name="label" type="java.lang.String" required="false" rtexprvalue="true" description="The label used for this object, will default to a message bundle if not supplied" />
  <jsp:directive.attribute name="render" type="java.lang.Boolean" required="false" rtexprvalue="true" description="Indicate if the contents of this tag and all enclosed tags should be rendered (default 'true')" />
  <jsp:directive.attribute name="openPane" type="java.lang.Boolean" required="false" rtexprvalue="true" description="Control if the title pane is opened or closed by default (default: true)" />
  <jsp:directive.attribute name="z" type="java.lang.String" required="false" description="Used for checking if element has been modified (to recalculate simply provide empty string value)" />

  <c:if test="${empty render or render}">
    <c:if test="${empty label}">
      <spring:message code="label_${fn:toLowerCase(fn:substringAfter(id,'_'))}" var="label" htmlEscape="false" />
      <spring:message code="label_${fn:toLowerCase(fn:substringAfter(id,'_'))}" var="label" htmlEscape="false" />
    </c:if>

    <c:if test="${empty list}">
      <c:set var="list" value="true" />
    </c:if>

    <c:if test="${empty create}">
      <c:set var="create" value="true" />
    </c:if>

    <c:if test="${empty update}">
      <c:set var="update" value="true" />
    </c:if>

    <c:if test="${empty delete}">
      <c:set var="delete" value="true" />
    </c:if>

    <spring:message var="typeName" code="menu_item_${fn:toLowerCase(fn:split(id,'_')[fn:length(fn:split(id,'_')) - 1])}_new_label" htmlEscape="false" />
    <spring:message var="typeNamePlural" code="menu_item_${fn:toLowerCase(fn:split(id,'_')[fn:length(fn:split(id,'_')) - 1])}_list_label" htmlEscape="false" />

    <spring:message arguments="${label}" code="entity_show" var="title_msg" htmlEscape="false" />
    <util:panel id="${id}" title="${title_msg}" openPane="${openPane}">
      <c:choose>
        <c:when test="${not empty object}">
          <jsp:doBody />
          <div class="quicklinks">
            <span>
              <c:if test="${delete}">
                <spring:url value="${path}/${itemId}" var="delete_form_url" />
                <spring:url value="/resources/images/delete.png" var="delete_image_url" />
                <sec:authorize ifAllGranted="ROLE_ADMIN">
                <form:form action="${delete_form_url}" method="DELETE">
                  <spring:message arguments="${typeName}" code="entity_delete" var="delete_label" htmlEscape="false" />
                  <c:set var="delete_confirm_msg">
                    <spring:escapeBody javaScriptEscape="true">
                      <spring:message code="entity_delete_confirm" />
                    </spring:escapeBody>
                  </c:set>
                  <input alt="${fn:escapeXml(delete_label)}" class="image" src="${delete_image_url}" title="${fn:escapeXml(delete_label)}" type="image" value="${fn:escapeXml(delete_label)}" onclick="return confirm('${fn:escapeXml(delete_confirm_msg)}');" />
                </form:form>
                </sec:authorize>
              </c:if>
            </span>

...

But, even with the sec:authorize tag surrounding the DELETE form, it still shows up for all users.

Suggestions?

-Jeff

[JeffH]

Ok, figured it out. The correct place to modify access to these controls is in /src/main/webapp/WEB-INF/tags/form/fields/table.tagx

-Jeff

[mmartinez]

Ok, figured it out. The correct place to modify access to these controls is in /src/main/webapp/WEB-INF/tags/form/fields/table.tagx

Is a good design pattern to deny operation in server too.
For this, you can use next annotation in Controller or Entity delete method:

@Secured({"ROLE_NAME1","ROLE_NAME2"})

Regards !

[JeffH]

Is a good design pattern to deny operation in server too.
For this, you can use next annotation in Controller or Entity delete method:

@Secured({"ROLE_NAME1","ROLE_NAME2"})

Regards !

Yes, true, but I don't want the user to even get that far. I'm trying to hide things he doesn't have access to, and I also need to secure the URLs so he can't just paste them in to get around the hidden controls. I'll probably have to use @Secured on the controllers for this, as it's difficult to come up with intercept-url expressions for some of the CRUD URLs generated by the scaffolding engine.

-Jeff