Restricting access to some page based on permission

Question

I am student and new to we development. I am facing a bit strange problem while I am developing an web application using spring MVC.

I have some permission comes from database. If I give a user - "userOne" to "createRole" permission then the "userOne" can see a link on it's dashboard after logged in - "Create Role" . If the user click on the "Create Role" link then the server redirect to this url - /secure/roleManagement/createNewRole.html.

Please note, if revoke the "createRole" permission then the user can not able to see the "Create Role" link. But even after this if If I type the url - /secure/roleManagement/createNewRole.html to the browser then I can access the create role page, which shouldn't be appeared to the user.

So how can I hide this. I know the provided information is not suffice for answering but please give some idea. I am stuck with this. I heard I may use spring authorization in this case to intercept the url request. But for learning purpose we don't want to use it. Is there any idea?

Thanks

Answer 1

I believe the best way to address this would be using Spring Security namespace and adding an intercept rule like the following:

<intercept-url pattern="/secure/roleManagement/createNewRole" 
               access="hasRole(createRole)" 
/>

But since you don't want that, the alternatives would be:

1. Assuming there is a controller handling requests to /secure/roleManagement/createNewRole.html, you could just add a verification at the beginning that checks whether the user has the required role or not.
2. Create your security logic in one (or multiple) filters. You could either have a filter to intercept this particular URL, and then create others for others URLs (which might not be a good idea depending on the amount of URLs you need to handle) or you could have one single security filter to handle them all.

The alternatives are basically ways to implement what Spring Security offers out of the box.