I've run into a such situation: my application has several roles(administrator, moderator, user). Moderator and User can edit some forms. All permisions are ok. But when I'm loggen in as a user(role User) and change an id in the url, I can simply get and edit form of another user(role User).

How to deny access and prevent such actions?

ps. version of spring and spring security is 3.1.2

update - added spring security context

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
                    http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
                    http://www.springframework.org/schema/security
                    http://www.springframework.org/schema/security/spring-security-3.1.xsd">

    <http use-expressions="true" auto-config="false"
        entry-point-ref="authenticationEntryPoint" access-denied-page="/403.jsp">
        <form-login login-page="/login.html"
            authentication-failure-url="/login.html?error=true"
            login-processing-url="/j_spring_security_check"
            authentication-success-handler-ref="successHandler" />
        <logout logout-url="/logout" logout-success-url="/login.html" />
        <intercept-url pattern="/admin/**" access="hasRole('adminViewPermission')" />
        <intercept-url pattern="/moderator/**" access="hasRole('moderatorViewPermission')" />

        <intercept-url pattern="**/form-management"
            access="hasRole('formManagementPermission')" />

    </http>


    <authentication-manager alias="authenticationManager">
        <authentication-provider user-service-ref="userDetailsService" />
    </authentication-manager>

    <beans:bean id="authenticationEntryPoint"
        class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
        <beans:property name="loginFormUrl" value="/login.html" />
        <beans:property name="forceHttps" value="false" />
    </beans:bean>

    <beans:bean id="successHandler"
        class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
        <beans:property name="defaultTargetUrl" value="/authenticate" />
        <beans:property name="alwaysUseDefaultTargetUrl" value="true"/>
    </beans:bean>

    <beans:bean id="userDetailsService"
        class="com.jack.MyYserDetailsService">
    </beans:bean>
</beans:beans>

It looks like you want take into account actual domain object for your security rule. Normal SpringSecurity setup with users and roles can add security rules like this: who (athenticated user with some role) may access to some URL / method invocation. If you want to be able use enhanced rules like this: who (athenticated user with some role) may access to some URL / method invocation and what domain objects he can use then you need to use ACL feature.

EDIT. But if you need just one security rule like this then set up ACL may be an overkill. You can try enhance your actual SpringSecurity setup by custom web security expression:

<intercept-url pattern="/moderator/**" access="hasRole('moderatorViewPermission') and userIsAuthor()" />

Where your userIsAuthor() method will:

• extract id of the object from the URL (I suppose something like /moderator/item/56)
• check if current user is an author of an item id = 56.