• To implement URL-based Authorization, use <intercept-url>
  • <intercept-url> contains the following attributes
    Pattern: Specifies the url patterns
    Access: Contains the list of user roles that can access the url
    Method: Optional parameter specifying a HTTP method for authorization
  • The specified urls to be intercepted are sent as metadata to FilterSecurityInterceptor
  • Ensure that the specified url-patterns in the <intercept-url> ends with “*", otherwise an attacker can pass parameters to the Url to bypass the Authorization rule

Sample intercept-url Configuration without XML

JSP Page Content Authorization

  • Authorizing JSP page content based on the logged in users status, role, etc.
  • Include the following to implement web URL authorization

JSP Page Content Authorization with Domain Object’s ACL

  • Authorizing JSP page content based on the logged in users’ permission on domain objects
  • <security:accesscontrollist> tag displays or hides content of JSP page based on permissions of logged in user for a domain object’s ACL
  • Expressions are not used by <security:accesscontrollist> tag