Role Based Spring Security

Role Based User Interface Creation Using Spring JSP Taglibs

Spring Security provides jsp taglibs for customizing User Interface according the authenticated user’s role. We can make it possible to show some ui portion to user with role admin and not to others.

This tutorial is based on the previous Spring Security Tutorials. You should first read Getting Started with Spring Security tutorial and then read this tutorial for better understanding.

Tools Used:

• Spring MVC 3.0.3
• Spring JDBC 3.0.5
• Spring Security 3.0.5
• Eclipse Indigo 3.7
• Tomcat 6
• Jdk 1.6

 The tutorial will illustrate you an practical example in which there will be two users with different roles, “ROLE_ADMIN” and “ROLE_USER”.In the example we will modify our Getting Started with Spring Security example to implement role based ui modification using Spring Security JSP Taglibs. We will modify our welcome page to make some portion visible to admin and some portion to user.

Including Spring Security JSP Taglib

We have to add Spring Security Taglib to our jsp file to use this feature of role based user interface modification:


<%@ taglib uri="http://www.springframework.org/security/tags" prefix="sec" %>


Authorize tag in Spring Security taglib

Authorize tag is used for role based user interface creation. For example, if we want to create a jsp portion that will be visible to user with role “ROLE_ADMIN”, it will like following code:


<sec:authorize access="hasRole('ROLE_ADMIN')">
This session will be visible to an admin only.<br/>
You are an Administrator.<br/>
</sec:authorize>


If we put this code to jsp, the message will be shown only to the users with role “ROLE_ADMIN”. access” attribute is used to specify the Spring Security EL Expression and if the expression returns true for the loged in user only then the HTML code within “<sec:authorize/>” tag will be shown to user. The expression in access attribute is send to WebSecurityExpressionHandler defined in the web context. So we have to add WebSecurityExpressionHandler to out security context. It can be done in two ways:

1. Use default WebSecurityExpressionHandler, which will be only available if we specify use-expressions=”true” in our Spring Security Configuration file under <http/> tag.
2. Register your WebSecurityExpressionHandler in Spring Security Configuration file.

Common built-in expressions

Following are the common expressions that can be used in access attribute of “<sec:authorize/>” tag:

• hasRole([role]) : Returns true only if the login user has the role specified in [role].
• hasAnyRole([role1,role2]) : Returns true only if the login user has atleast one role specified in [role1,role2]. The roles will be specified in comma separated format.
• isAnonymous() : Returns true only is the login user is an anonymous user.
• isAuthenticated() : Returns true if the user is not an anonymous user.
• isFullyAuthenticated() : Returns true if the user is not an anonymous user or a remember me user.
• isRememberMe() : Returns true if the user is  a remember me user.

Our Example:

Modifying Spring Security Configuration File (spring-security.xml)


<?xml version="1.0" encoding="UTF-8"?>

<b:beans xmlns="http://www.springframework.org/schema/security"
xmlns:b="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans

http://www.springframework.org/schema/beans/spring-beans-3.0.xsd

http://www.springframework.org/schema/security

http://www.springframework.org/schema/security/spring-security-3.0.xsd">

<http realm="Project Realm" auto-config="true" use-expressions="true">
    <intercept-url pattern="/auth/**" filters="none"/>
    <intercept-url pattern="/**" access="hasAnyRole('ROLE_ADMIN','ROLE_USER')"/>
    <form-login login-page="/auth/login.jsp" authentication-failure-url="/auth/login.jsp?login_error=1"/>
    <logout logout-success-url="/auth/login.jsp"/>
    <remember-me />
</http>

<authentication-manager>
    <authentication-provider>
        <user-service>
            <user name="admin" password="admin" authorities="ROLE_ADMIN"/>
            <user name="customer" password="customer" authorities="ROLE_USER"/>
        </user-service>
    </authentication-provider>
</authentication-manager>

</b:beans>


We have modified security.xml to:

• Create two users of different roles.
• Specify the attribute use-expressions=”true”  in <http/> tag.
• Provide both the user access to the page url “/**”.

 Modifing welcome.jsp


<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<%@ page session="true" %>
<%@ taglib uri="http://java.sun.com/jstl/core" prefix="c"%>
<%@ taglib prefix="sec" uri="http://www.springframework.org/security/tags" %>
<html xmlns="http://www.w3.org/1999/xhtml">
    <head>
        <title>Spring Security 3 JSP Taglibs- This is a secure page</title>
        <meta http-equiv="Content-Type" content="text/html; charset=windows-1251">
    </head>
    <body>
        <h1>Welcome!</h1><br />
        <sec:authorize access="hasRole('ROLE_ADMIN')">
         This session will be visible to an admin only.<br/>
         You are an Administrator.<br/>
        </sec:authorize>
        <sec:authorize access="hasRole('ROLE_USER')">
         This session will be visible to an Customer only.<br/>
         You are an Customer.<br/>
        </sec:authorize>
        ${HelloMessage}<br />
        <a href="<c:url value="/j_spring_security_logout"/>">Logout</a>
    </body>
</html>
 
We have just added two message. One for admin user and another for customer user.

Download Source Code

Click here to download source code