Good day. I work with Spring Security 4. A profile can be edited only by its owner or administrator. I have the following code in the controller ( UserDetails redefined and has a uid field):
@PreAuthorize("hasRole('ROLE_ADMIN') or " + "(isAuthenticated() and principal.uid == #personId)") @RequestMapping(path = "/persons/uid{personId}/edit", method = RequestMethod.GET) public String editPerson(@PathVariable Integer personId, Model model) { getPerson(personId, model); return "editPerson"; } and on the JSP profile view page:
<c:url value="/persons/uid${person.uid}/edit" var="editUrl" /> <sec:authorize url="${editUrl}"> <a href="${editUrl}">Редактировать</a> </sec:authorize> The link is shown to everyone. However, in the absence of necessary rights ( uid != 1 or unauthorized user), access to the persons/uid1/edit page is denied, that is, @PreAuthorize works here.
Tell me what's the matter?
