Loading...
Loading...
Loading...
Loading...

Spring View Layer Security using JSP Taglibs

View: 348    Dowload: 0   Comment: 0   Post by: hanhga   Category: Javascript   Fields: Other

So far in previous tutorials, we have learned about securing your application behind login formcustom user detail service and evenmethod level security also. All these security implementations were on controller or model layer of MVC. Its time to add security in view layer. It is mostly needed when we want to hide certain links or buttons based on user’s role so that he will not be able to access that functionality.

Taglib declaration

To secure view later of applications, spring Security has its own taglib which provides basic support for accessing security information and applying security constraints in JSPs. To use security features in jsp file, following tag library declaration needs to added:

<%@ taglib uri="http://www.springframework.org/security/tags" prefix="security" %>

You can choose the prefix of your own choice and you will need to use this prefix in jsp files.

Security tags

Spring provide basically 3 tags for securing view layer information i.e.

  • authorize tag
  • authenticate tag
  • accesscontrollist tag

Lets see them one by one.

1) authorize tag:

This tag is used to determine whether its contents should be evaluated or not. This tag has two flavors i.e. securing information based on user’s role or securing information based on user’s permission to access a particular URL.

Sample usage will look like this:

<security:authorize ifAnyGranted="ROLE_ADMIN">
    <tr>
        <td colspan="2">
            <input type="submit" value="<spring:message code="label.add"/>"/>
        </td>
    </tr>
</security:authorize>
 
OR
 
<security:authorize url="/admin">
    <tr>
        <td colspan="2">
            <input type="submit" value="<spring:message code="label.add"/>"/>
        </td>
    </tr>
</security:authorize>

2) authenticate tag

This tag allows access to the current Authentication object stored in the security context. It renders a property of the object directly in the JSP. So, for example, if the principal property of the Authentication is an instance of Spring Security’s UserDetails object, then using will render the name of the current user.

This tag is not for security purpose directly, but it can be used for accessing information which can be used for view layer security.

3) accesscontrollist tag

This tag is only valid when used with Spring Security’s ACL module. It checks a comma-separated list of required permissions for a specified domain object. If the current user has any of those permissions, then the tag body will be evaluated. If they don’t, it will be skipped.

<sec:accesscontrollist hasPermission="1,2" domainObject="someObject">
    This will be shown if the user has either of the permissions
    represented by the values "1" or "2" on the given object.
</sec:accesscontrollist>

Example use in application

We have developed an employee management application in login form based spring security tutorial. In this application, a an authenticated user can add/delete/list the employees. Now, let modify the application so that any user which does not has ‘ROLE_ADMIN’ permission, he should not able to see Add button.

Below is the code change which I did in application:

< %@ taglib uri="http://www.springframework.org/tags" prefix="spring" %>
< %@ taglib uri="http://www.springframework.org/tags/form" prefix="form" %>
< %@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>
< %@ taglib uri="http://www.springframework.org/security/tags" prefix="security" %>
<html>
<head>
    <title>Spring 3 hibernate integration example on www.howtodoinjava.com</title>
</head>
<body>
 
<h2>Employee Management Screen : <security:authentication property="principal.username"></security:authentication></h2>
 <h6><a href="<c:url value='j_spring_security_logout'></a>">Click here to logout</h6>
<form:form method="post" action="add" commandName="employee">
 
    <table>
    <tr>
        <td><form:label path="firstname"><spring:message code="label.firstname"></spring:message></form:label></td>
        <td><form:input path="firstname"></form:input></td>
    </tr>
    <tr>
        <td><form:label path="lastname"><spring:message code="label.lastname"></spring:message></form:label></td>
        <td><form:input path="lastname"></form:input></td>
    </tr>
    <tr>
        <td><form:label path="email"><spring:message code="label.email"></spring:message></form:label></td>
        <td><form:input path="email"></form:input></td>
    </tr>
    <tr>
        <td><form:label path="telephone"><spring:message code="label.telephone"></spring:message></form:label></td>
        <td><form:input path="telephone"></form:input></td>
    </tr>
    <security:authorize ifAnyGranted="ROLE_ADMIN">
    <tr>
        <td colspan="2">
            <input type="submit" value="<spring:message code="label.add"/>"/>
        </td>
    </tr>
    </security:authorize>
</table>
</form:form>
 
<h3>Employees</h3>
<c:if test="${!empty employeeList}">
<table class="data">
<tr>
    <th>Name</th>
    <th>Email</th>
    <th>Telephone</th>
    <th>&amp;nbsp;</th>
</tr>
<c:foreach items="${employeeList}" var="emp">
    <tr>
        <td>${emp.lastname}, ${emp.firstname} </td>
        <td>${emp.email}</td>
        <td>${emp.telephone}</td>
        <td>delete</td>
    </tr>
</c:foreach>
</table>
</c:if>
 
</body>
</html>

And below is the result of above changes in browser screen.

After applying security tags, add button goes invisible and logged in user’s name ‘lokesh’ appears in screen.

Let me know if something is still unclear.

 

 

Spring View Layer Security using JSP Taglibs

So far in previous tutorials, we have learned about securing your application behind login form, custom user detail service and evenmethod level security also.

Posted on 03-08-2016 

Comment:

To comment you must be logged in members.

Files with category

  • Mini Youtube Using ReactJS

    Mini Youtube Using ReactJS

    View: 156    Download: 3   Comment: 0

    Category: Javascript     Fields: none

    This is one the best starter for ReactJS. MiniYoutube as the name suggests is a youtube like website developed using reactJS and youtube API. This project actually let's you search , play and list youtube videos. Do check it out and start learning...

  • AngularJS and REST API

    AngularJS and REST API

    View: 309    Download: 0   Comment: 0

    Category: Javascript     Fields: Other

    This is a tutorial for those interested in a quick introduction to AngularJS and REST API. We will build the familiar Periodic Table of the Elements found in every chemistry textbook, and allow the user to select a Chemical Element by clicking on...

  • Collective Intelligence, Recommending Items Based on Similar Users' Taste

    Collective Intelligence, Recommending Items Based on Similar Users' Taste

    View: 242    Download: 0   Comment: 0

    Category: Javascript     Fields: Other

    Using Collaborative Filtering to find people who share tastes, and for making automatic recommendations based on things that other people like.

  • Think Like a Bird for Better Parallel Programming

    Think Like a Bird for Better Parallel Programming

    View: 219    Download: 0   Comment: 0

    Category: Javascript     Fields: Other

    Coding an application to run in parallel is hard, right? I mean, it must be hard or we’d see parallel programs everywhere. All we'd see are slick parallel apps that use every available core effortlessly. Instead multi-threaded apps are the exception...

  • Getting Started with the Bing Search APIs

    Getting Started with the Bing Search APIs

    View: 238    Download: 0   Comment: 0

    Category: Javascript     Fields: Other

    Bing Search API is a set of REST interfaces that find web pages, news, images, videos, entities, related searches, spelling corrections, and more in response to queries from any programming language that can generate a web request. Applications that...

  • Brief Introduction of SocketPro High Performance and Scalable Persistent Message Queue

    Brief Introduction of SocketPro High Performance and Scalable Persistent Message Queue

    View: 558    Download: 0   Comment: 0

    Category: Javascript     Fields: Other

    Continuous in-line request/result batching, real-time stream sending/processing, asynchronous data transferring and parallel computation for best performance and scalability

  • Iteration Over Java Collections with High Performance

    Iteration Over Java Collections with High Performance

    View: 210    Download: 0   Comment: 0

    Category: Javascript     Fields: Other

    Java developers usually deal with Collections such as ArrayList, HashSet, Java 8 come with lambda and streaming API helps us to easily work with Collections. In most cases, we work with few thousands of items and performance isn't a concern. But in...

  • SR2JLIB - A Symbolic Regression Library for Java

    SR2JLIB - A Symbolic Regression Library for Java

    View: 210    Download: 0   Comment: 0

    Category: Javascript     Fields: Other

    Grammar-Guided Genetic Programming library featuring: multi-threading, just-in-time compilation of individuals, dynamic class loading, and JNI interfacing with C/C++ code

 
File suggestion for you
File suggestion for you
File suggestion for you
File suggestion for you
Loading...
Loading...
Loading...
Loading...
File top downloads
File top downloads
File top downloads
File top downloads
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Codetitle - library source code to share, download the file to the community
Copyright © 2018. All rights reserved. codetitle Develope by Vinagon .Ltd