I am trying to to setup a security policy in Spring such that anyone can read any entities created in roo but only the admin user (specified in the applicationContext-security.xml) can create/update/delete. It seems to me I should be able to achieve my goal by customizing applicationContext-security.xml but I can't figure out a way. I thought of using intercept-url like:
<intercept-url pattern="/anyEntity/*?form" access="hasRole('ROLE_ADMIN')" />
but this config does not cover DELETE because it is a hidden field in POST (according to the doc, post method is supported but there is no doc on how to specify a hidden field value in the intercept-url tag)
Another way would be to use @secured on entity setter methods. I currently rely on roo to generate the getters/setters so I would like to avoid using it if possible
I can also write a custom controller to do the filtering I suppose. But seems to me I should be able to just customize the configuration. I must be missing something obvious because a public read-only policy should be a very common strategy.
I think you can use the method="DELETE" attribute to intercept-url because roo converts the hidden method field to the http method.
There is also some more information here