Spring Security - showing content specific to the logged in user

Question

Say I have a profile page, which has an 'edit your profile' link. The profile page can be viewed by all the users, but the edit link button should be visible only for a logged in user viewing his profile, not another user's profile.

As of now I have this code,

<sec:authorize access="isAuthenticated()">
<sec:authentication property="principal.username" var="principal"/>
<c:if test="${profile_username eq principal}">   <!--profile_username is the username of the viewed profile  -->
<!-- edit your profile link -->
</c:if>
</sec:authorize>    

Is there a cleaner way a doing this?? May be a one liner like

<sec:authorize access="isTheSamePerson()"/>.

Thanks in advance. :)

Answer 1

You want to take into account actual domain object. There is special ACL feature in Spring Security for these purposes. You can set up it and use corresponding accesscontrollist tag:

<sec:accesscontrollist hasPermission="2" domainObject="${profile}">
    <!-- Your edit link goes here -->
    <!-- "2" means write permission -->
    <!-- Be sure that you use Spring Security >= 3.1.2. This syntax may not works for smaller versions due to bugs  -->
</sec:accesscontrollist>

It may be an overkill if you have only one situation like this.

Option number 2. You can define a custom web security expression:

<sec:authorize access="isOwner(#profile)"/>.

It is not so simple too.

I think a custom JSP tag (tag file) will be the most simple solution:

<customtags:authorizeeditaccount account="${profile}"/> 

This tag will do the same things. It will look much better.