Url Permission Based User Interface Creation in Spring Security

In the previous tutorial, we learn how to customize jsp out put based on the role of the logged in user with the help of the Spring Security JSP Taglibs. Now, we will learn the way to customize the jsp page on the basis of a secure url. That means if the logged in user will have permission to visit the url specified in the taglib attribute, the particular jsp segment will be rendered otherwise, the segment will not shown to the user.

Think about the situation, when we are creating a common menu bar for the logged in users. The menu will contain link for the uses of admin as well as the customers. Some of the menu items are common to both users and some are specific to the admin or customer.

In such situation, we will use Url Permission Based User Interface Creation using Spring Security Taglibs. We will check if the user has permission to visit the menu url then the menu url will be shown to user otherwise menu link will not be shown.

The Tutorial is assuming that you have read following tutorials before reading this:

  1. Configuring Spring Security in Spring Web MVC Application.
  2. Role based User Interface creation using Spring JSP Taglibs.

Please read those tutorial or if you have prior knowledge of setting up Spring Security JSP Taglibs to use in jsp then you can continue with the tutorial.

Tools Used:

  • Spring MVC 3.0.3
  • Spring Security 3.0.5
  • Eclipse Indigo 3.7
  • Tomcat 6
  • Jdk 1.6

Tutorial Example and Explanation:

In our example, there are two users associated with the Spring Security Configuration: “admin” and “customer”. Both of them has different roles. But, the welcome page is the shared page between both the users where they are redirected after successful login. We have also two different urls “/admin/**” and “/users/**” configured in Spring Security Configuration file. Only admin user has rights to view pages under url “/admin/**” and only customer has permission to visit the url “/users/**”.

Spring Security Configuration file

<?xml version="1.0" encoding="UTF-8"?>
<b:beans xmlns="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">
    <http realm="Project Realm" auto-config="true" use-expressions="true">
        <intercept-url pattern="/auth/**" filters="none"/>
        <intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN')"/>
        <intercept-url pattern="/users/**" access="hasRole('ROLE_USER')"/>
        <intercept-url pattern="/**" access="hasAnyRole('ROLE_ADMIN','ROLE_USER')"/>
        <form-login login-page="/auth/login.jsp" authentication-failure-url="/auth/login.jsp?login_error=1"/>
        <logout logout-success-url="/auth/login.jsp"/>
        <remember-me />

               <user name="admin" password="admin" authorities="ROLE_ADMIN"/>
               <user name="customer" password="customer" authorities="ROLE_USER"/>


We have modified our configuration file as specified above.

Welcome page to create url permission based jsp segments

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<%@ page session="true" %>
<%@ taglib uri="http://java.sun.com/jstl/core" prefix="c"%>
<%@ taglib uri="http://www.springframework.org/security/tags" prefix="sec"%>
<html xmlns="http://www.w3.org/1999/xhtml">
<title>Spring Security 3 JSP Taglibs- This is a secure page</title>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1251">
    <h1>Welcome!</h1><br />
    <sec:authorize url="/admin/*">
        This session will be visible to an admin only.<br/>
        You are an Administrator.<br/>
    <sec:authorize url="/users/*">
        This session will be visible to an Customer only.<br/>
        You are an Customer.<br/>
        ${HelloMessage}<br />
        <a href="<c:url value="/j_spring_security_logout"/>">Logout</a>

<sec:authorize url=”/admin/*”> : This means the jsp segment within <sec:authorize/> tag will only show to the logged in user if she/he has permission to view the pages under the url “/admin/*”.

So, if we login with the credentials of admin user we will message specific to the the admin only and same with the customer credentials.

Deploy the war file in Tomcat 6 server and hit the war url in web browser, you will be shown login page for authentication:

Spring Security Custom Login Page

Spring Security Custom Login Page

Now, login with the username and password as “admin”. The welcome page will show only the message associated with the admin user:

Spring Security JSP Taglibs Admin Page

Spring Security JSP Taglibs Admin Page

After that click on logout and login again with the username and password as “customer”. You will see only message related to customer user:

Spring Security JSP Taglibs Customer Page

Spring Security JSP Taglibs Customer Page

You can download source code or war file of the above example from following links:

Source: Download

War: Download

Related Posts:

Leave a Comment Cancel reply

NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>