Today we discuss about the security tags provided with Spring Security package. These tags allow you to customize your web pages to include\/exclude elements based on user roles and credentials<\/p>\n
<\/p>\n
The below description of Spring Security Tag is based on official Spring Security 3.1.0 RELEASE<\/strong>. It may not apply to older versions\n<\/p><\/blockquote>\n
I Configuration<\/h1>\n
To enable JSP page-level security, we need to import the Spring Security tag library as follow:<\/p>\n
\n<%@ taglib prefix="sec" uri="http:\/\/www.springframework.org\/security\/tags" %>\n<\/pre>\nWe also need to add the spring security taglib Maven dependency into our project pom.xml<\/p>\n
\n \t<dependency>\n \t\t<groupId>org.springframework.security<\/groupId>\n \t\t<artifactId>spring-security-taglibs<\/artifactId>\n \t\t<version>3.1.0.RELEASE<\/version>\n \t\t<type>jar<\/type>\n \t\t<scope>compile<\/scope>\n \t<\/dependency>\n<\/pre>\nII Security tags<\/h1>\n
<\/p>\n
A The Authorization<\/em> tag<\/h3>\n
To enable the rendering of some portion based on user credentials, we can rely on the <sec:authorize><\/strong> tag:<\/p>\n
\n<sec:authorize access="hasRole('admin')">\n\t<table>\n \t\t<tr>\n \t \t \t<td>xxx<\/td>\n \t \t \t<!-- Some administrator data here -->\n \t \t<\/tr>\n \t<\/table>\n<\/sec:authorize>\n\n<sec:authorize access="hasRole('guest')">\n\tRestricted data, you are not allowed to access this resource \t\n<\/sec:authorize>\n<\/pre>\nThe “access<\/strong>” attribute allows us to define the access rules. In the above example we simply check for user role (admin<\/em> or guest<\/em>). The hasRole is a SpEL<\/strong> (Spring Expression Language<\/strong>) syntax. Complete list of spEL expressions for security is given below:<\/p>\n
\n
- hasRole([role])<\/strong>: Returns true if the current principal has the specified role.<\/li>\n
- hasAnyRole([role1,role2])<\/strong>: Returns true if the current principal has any of the supplied roles (given as a comma-separated list of strings)<\/li>\n
- principal<\/strong>: Allows direct access to the principal object representing the current user<\/li>\n
- \nauthentication<\/strong>: Allows direct access to the current Authentication object obtained from the SecurityContext<\/li>\n
- permitAll<\/strong>: Always evaluates to true<\/strong><\/li>\n
- denyAll<\/strong>: Always evaluates to false<\/strong><\/li>\n
- isAnonymous()<\/strong>: Returns true if the current principal is an anonymous user<\/li>\n
- isRememberMe()<\/strong>: Returns true if the current principal is a remember-me user<\/li>\n
- isAuthenticated()<\/strong>: Returns true if the user is not anonymous<\/li>\n
- isFullyAuthenticated()<\/strong>: Returns true if the user is not an anonymous or a remember-me user<\/li>\n<\/ul>\n
Among this list, only some expressions are usefull for the access attribute, mainly hasRole([role])<\/strong>, hasAnyRole([role1,role2])<\/strong>, isAnonymous()<\/strong>, isRememberMe()<\/strong>, isAuthenticated()<\/strong> and isFullyAuthenticated()<\/strong>. The other expressions are more informative and serve in different contexts (we’ll see them soon)<\/p>\n
Apart from the “access<\/strong>” attribute, the <sec:authorize><\/strong> tag offers other interesting attributes:<\/p>\n
\n
- url<\/strong>: an URL within the application. The tag <sec:authorize><\/strong> is renderd if the user is grated access to this URL (based on rules defined by the FilterSecurityInterceptor<\/strong>)<\/li>\n
- method<\/strong>: GET or POST. Specify the HTTP method user to access the url<\/strong>. This attribute can only be used along with the previous url<\/strong> attribute.<\/li>\n
- var<\/strong>: a page scope variable to store the evaluation of this tag (tru<\/strong>e or false<\/strong>) so it can be re-used later in the page for different purpose.<\/li>\n<\/ul>\n
Please note that for the “url” attribute to work, you need to declare an additional DefaultWebInvocationPrivilegeEvaluator<\/strong> bean in the Spring context with the filterSecurityInterceptor<\/strong> injected as constructor argument:<\/p>\n
\n<!-- Filter for role checking -->\n<bean id="filterSecurityInterceptor" class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">\n\t<property name="authenticationManager" ref="authenticationManager"\/>\n\t<property name="accessDecisionManager" ref="httpRequestAccessDecisionManager"\/>\n\t<property name="securityMetadataSource">\n\t\t<sec:filter-security-metadata-source lowercase-comparisons="true" request-matcher="ant" use-expressions="true">\n\t\t\t<sec:intercept-url pattern="\/pages\/Security\/**" access="permitAll"\/>\n\t\t\t<sec:intercept-url pattern="\/resources\/**" access="permitAll"\/>\n\t\t\t<sec:intercept-url pattern="\/pages\/Settings\/**" access="hasRole('SETTINGS')"\/>\n\t\t\t<sec:intercept-url pattern="\/pages\/Home\/*" access="hasRole('HOME')"\/> \n\t\t\t<sec:intercept-url pattern="\/pages\/Admin\/**" access="hasRole('ADMINISTRATOR')"\/>\n\t\t\t<sec:intercept-url pattern="\/servlet\/Download" access="hasAnyRole('DOWNLOAD','PREMIUM_ACCOUNT')"\/>\n \n\t\t\t<sec:intercept-url pattern="\/**" access="isAuthenticated()"\/>\n\t\t<\/sec:filter-security-metadata-source>\n\t<\/property>\n<\/bean>\n\n<!-- webInvocationPrivilegeEvaluator necessary to use <sec:authorized url="xx"> -->\n<bean id="webInvocationPrivilegeEvaluator" class="org.springframework.security.web.access.DefaultWebInvocationPrivilegeEvaluator">\n\t<constructor-arg ref="filterSecurityInterceptor">\n<\/bean>\n<\/pre>\nBelow is an example of the var attribute usage:<\/p>\n
\n<sec:authorize access="hasRole('admin')" var="isAdmin">\n\t<table>\n \t\t<tr>\n \t \t \t<td>xxx<\/td>\n \t \t \t<!-- Some administrator data here -->\n \t \t<\/tr>\n \t<\/table>\n<\/sec:authorize>\n...\n<c:if test="${isAdmin}">\n \/\/ Some block here if the user is Admin\n<\/c:if>\n<\/pre>\n<\/p>\n
B The Authentication<\/em> tag<\/h3>\n
The <sec:authentication><\/strong> tag gives access to the Authentication<\/strong> object of the security context. The attribute “property<\/strong>” allows us to access some property of the Authentication<\/strong> object itself and display it directly to the page. <\/p>\n
The Authentication<\/strong> interface exposes the following methods:<\/p>\n
\n
- authorities<\/strong>: collection of GrantedAuthority instances. Corresponds in most case to user roles<\/li>\n
- credentials<\/strong>: user’ credentials (usually password)<\/li>\n
- details<\/strong>: object containing the details of the authentication process itself. The content of this object depends on the implementation of the Authentication<\/strong> interface. The default implementation returns null<\/strong><\/li>\n
- principal<\/strong>: the principal object, which is most of the time an instance of the UserDetails<\/strong> interface<\/li>\n
- isAuthenticated<\/strong>: return true<\/strong> or false<\/strong> whether the use is authenticated or not<\/li>\n<\/ul>\n
As with the previous tag, the <sec:authentication><\/strong> tag offers some interesting other attributes:<\/p>\n
\n
- var<\/strong>: a page variable to store the result of the property<\/strong> attribute so it can be re-used later in the page for different purposes<\/li>\n
- scope<\/strong>: scope of the above “var<\/strong>” attribute. Can be “page<\/em>“, “request<\/em>“,”session<\/em>” or “application<\/em>“<\/li>\n
- htmlEscape<\/strong>: if true<\/strong>, enable HTML escape for the “property” attribute display<\/li>\n<\/ul>\n
Usage examples:<\/p>\n
\n<!-- Credentials display -->\nYour password is <sec:authentication property="credentials"\/>\n...\n\n<!-- Roles display -->\n<sec:authentication property="authorities" var="roles" scope="page" \/>\nYour roles are:\n<ul>\n\t<c:forEach var="role" items="${roles}">\n \t<li>${role}<\/li>\n\t<\/c:forEach>\n<\/ul>\n\n<!-- Username display -->\nYour username is <sec:authentication property="principal.username"\/>\n<\/pre>\n<\/p>\n
C The Accesscontrollist<\/em> tag<\/h3>\n
This <sec:accesscontrollist><\/strong> tag is rarely used and can only be evaluated if Spring Security’s ACL<\/strong> module is activated.<\/p>\n
The available attributes are:<\/p>\n
\n
- hasPermission<\/strong>: a list of permission (coma as separator) to be checked against domain object. The permission strings will be converted first into Permission<\/strong> instance by the PermissionFactory<\/strong> before performing evaluation. The evaluation is true if at least one of the listed permission is found in the domain object<\/em><\/li>\n
- domainObject<\/strong>: domain object for which the above permissions are evaluated<\/li>\n
- var<\/strong>: a page scope variable to store the evaluation of this tag (true<\/strong> or false<\/strong>) so it can be re-used later in the page for different purpose<\/li>\n<\/ul>\n
Usage example:<\/p>\n
\n\n<sec:accesscontrollist hasPermission="admin,designer" domainObject="${someObject}">\n\t\/\/Displayed only if the domainObject has "admin" OR "designer" permission \n<\/sec:accesscontrollist> \n\n<\/pre>\nIII Security tags for Facelet<\/h1>\n
The above security tags are only available for JSP pages. If you are a JSF-user with Facelet as templating solution, no chance.<\/p>\n
Luckily, some brillant people had a good idea to adapt these tags for Facelet. You can download the binaries here http:\/\/www.dominikdorn.com\/facelets\/<\/a><\/del><\/p>\n