Role based User Interface creation using Spring JSP Taglibs

Spring Security provides jsp taglibs for customizing User Interface according the authenticated user’s role. We can make it possible to show some ui portion to user with role admin and not to others.

This tutorial is based on the previous Spring Security Tutorials. You should first read Configuring Spring Security in Spring Web MVC Application tutorial and then read this tutorial for better understanding.

Tools Used:

  • Spring MVC 3.0.3
  • Spring JDBC 3.0.5
  • Spring Security 3.0.5
  • Eclipse Indigo 3.7
  • Tomcat 6
  • Jdk 1.6

The tutorial will illustrate you an practical example in which there will be two users with different roles, “ROLE_ADMIN” and “ROLE_USER”.In the example we will modify our Configuring Spring Security in Spring Web MVC Application example to implement role based ui modification using Spring Security JSP Taglibs. We will modify our welcome page to make some portion visible to admin and some portion to user.

Including Spring Security JSP Taglib

We have to add Spring Security Taglib to our jsp file to use this feature of role based user interface modification:


<%@ taglib uri="http://www.springframework.org/security/tags" prefix="sec" %>

Authorize tag in Spring Security taglib

Authorize tag is used for role based user interface creation. For example, if we want to create a jsp portion that will be visible to user with role “ROLE_ADMIN”, it will like following code:


<sec:authorize access="hasRole('ROLE_ADMIN')">
This session will be visible to an admin only.<br/>
You are an Administrator.<br/>
</sec:authorize>

If we put this code to jsp, the message will be shown only to the users with role “ROLE_ADMIN”. access” attribute is used to specify the Spring Security EL Expression and if the expression returns true for the loged in user only then the HTML code within “<sec:authorize/>” tag will be shown to user. The expression in access attribute is send to WebSecurityExpressionHandler defined in the web context. So we have to addWebSecurityExpressionHandler to out security context. It can be done in two ways:

  1. Use default WebSecurityExpressionHandler, which will be only available if we specify use-expressions=”true” in our Spring Security Configuration file under <http/> tag.
  2. Register your WebSecurityExpressionHandler in Spring Security Configuration file.

Common built-in expressions

Following are the common expressions that can be used in access attribute of “<sec:authorize/>” tag:

  • hasRole([role]) : Returns true only if the login user has the role specified in [role].
  • hasAnyRole([role1,role2]) : Returns true only if the login user has atleast one role specified in [role1,role2]. The roles will be specified in comma separated format.
  • isAnonymous() : Returns true only is the login user is an anonymous user.
  • isAuthenticated() : Returns true if the user is not an anonymous user.
  • isFullyAuthenticated() : Returns true if the user is not an anonymous user or a remember me user.
  • isRememberMe() : Returns true if the user is a remember me user.

Our Example:

Modifying Spring Security Configuration File (security.xml)


<?xml version="1.0" encoding="UTF-8"?>

<b:beans xmlns="http://www.springframework.org/schema/security"
xmlns:b="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans

http://www.springframework.org/schema/beans/spring-beans-3.0.xsd


http://www.springframework.org/schema/security


http://www.springframework.org/schema/security/spring-security-3.0.xsd">

<http realm="Project Realm" auto-config="true" use-expressions="true">
    <intercept-url pattern="/auth/**" filters="none"/>
    <intercept-url pattern="/**" access="hasAnyRole('ROLE_ADMIN','ROLE_USER')"/>
    <form-login login-page="/auth/login.jsp" authentication-failure-url="/auth/login.jsp?login_error=1"/>
    <logout logout-success-url="/auth/login.jsp"/>
    <remember-me />
</http>

<authentication-manager>
    <authentication-provider>
        <user-service>
            <user name="admin" password="admin" authorities="ROLE_ADMIN"/>
            <user name="customer" password="customer" authorities="ROLE_USER"/>
        </user-service>
    </authentication-provider>
</authentication-manager>

</b:beans>

We have modified security.xml to:

  • Create two users of different roles.
  • Specify the attribute use-expressions=”true” in <http/> tag.
  • Provide both the user access to the page url “/**”.

Modifing welcome.jsp


<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<%@ page session="true" %>
<%@ taglib uri="http://java.sun.com/jstl/core" prefix="c"%>
<%@ taglib prefix="sec" uri="http://www.springframework.org/security/tags" %>
<html xmlns="http://www.w3.org/1999/xhtml">
    <head>
        <title>Spring Security 3 JSP Taglibs- This is a secure page</title>
        <meta http-equiv="Content-Type" content="text/html; charset=windows-1251">
    </head>
    <body>
        <h1>Welcome!</h1><br />
        <sec:authorize access="hasRole('ROLE_ADMIN')">
         This session will be visible to an admin only.<br/>
         You are an Administrator.<br/>
        </sec:authorize>
        <sec:authorize access="hasRole('ROLE_USER')">
         This session will be visible to an Customer only.<br/>
         You are an Customer.<br/>
        </sec:authorize>
        ${HelloMessage}<br />
        <a href="<c:url value="/j_spring_security_logout"/>">Logout</a>
    </body>
</html>

We have just added two message. One for admin user and another for customer user.

Export the project in a war file and deploy the war file to Tomcat 6. Hit the url in browser. You will get the following login page:

Spring Security Custom Login Page

Spring Security Custom Login Page

Now, login with username and password as “admin”, you will get the following screen that will show the admin message only:

Spring Security JSP Taglibs Admin Page

Spring Security JSP Taglibs Admin Page

After logout, login again with username and password as “customer”. You will get the message for the user customer only.

Spring Security JSP Taglibs Customer Page

Spring Security JSP Taglibs Customer Page

You can download source code or war file of the example from following links:

Source: Download

War: Download

Related Posts:

Leave a Comment Cancel reply


NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>