3. JSP Example

The security tag is defined at the top of the page with a prefix of 'sec'. Then around delete link the sec:authorize tag is configured to only show the link if the user is in the role 'ROLE_ADMIN'. Now, this doesn't actually stop someone from executing a delete query if they know the URL. Below, in the PersonDao, the @Secured tag is configured to enforce the rule that only an admin can delete a record.

<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<%@ taglib prefix="fmt" uri="http://java.sun.com/jsp/jstl/fmt" %>
<%@ taglib prefix="form" uri="http://www.springframework.org/tags/form"%>
<%@ taglib prefix="sec" uri="http://www.springframework.org/security/tags" %>

<h1><fmt:message key="person.search.title"/></h1>

<table class="search">
        <th><fmt:message key="person.form.firstName"/></th>
        <th><fmt:message key="person.form.lastName"/></th>
<c:forEach var="person" items="${persons}">
        <c:url var="editUrl" value="/info/person.html">
            <c:param name="id" value="${person.id}" />
        <c:url var="deleteUrl" value="/delete/person.html">
            <c:param name="id" value="${person.id}" />

            <a href='<c:out value="${editUrl}"/>'><fmt:message key="button.edit"/></a>
            <sec:authorize ifAllGranted="ROLE_ADMIN">
                <a href='<c:out value="${deleteUrl}"/>'><fmt:message key="button.delete"/></a>