Java Spring 3.0.5 Security - Read-Only User

Question

Is is possible to have a read-only user with Spring 3.0.5? I know you can specify specific authorized users using @Secured on a Class or Method, but can you list specific people that cannot run a method rather than specifying everyone who can (assuming that the user has to be authenticated to get to that point)? We want to make sure that specific users don't accidentally run a method that would change data without making it more difficult to add more roles in the future. If anyone knows of another way this can be done, I am all ears. Thank you.

Answer 1

I don't know of a way to magically create a read only user. However, you can create a role such as ROLE_UPDATE and make all of your methods that perform creates/updates/deletes be secured via @Secured("ROLE_UPDATE"). Then, if a user is not granted the ROLE_UPDATE authority, they will not be able to call any of the 'writing' methods, and therefore it will be restricted to only call 'read' methods.