Declaring the Taglib
<%@ taglib prefix="sec" uri="http://www.springframework.org/security/tags" %>
The authorize Tag
<sec:authorize access="hasRole('supervisor')">
This content will only be visible to users who have the "supervisor" authority in their list
of <tt>GrantedAuthority</tt>s.
</sec:authorize>
<sec:authorize access="hasPermission(#domain,'read') or hasPermission(#domain,'write')">
This content will only be visible to users who have read or write permission to the Object found as a
request attribute named "domain".
</sec:authorize>
<sec:authorize url="/admin">
This content will only be visible to users who are authorized to send requests to the "/admin" URL.
</sec:authorize>
Disabling Tag Authorization for Testing
If you set the system property spring.security.disableUISecurity to true, the authorize tag will still run but will not hide its contents. By default it will also surround the content with <span class="securityHiddenUI">…</span> tags. This allows you to display "hidden" content with a particular CSS style such as a different background colour. Try running the "tutorial" sample application with this property enabled, for example.
This can be tested by using the following sample:
tutorial-xml.zipAfter downloading it, type the command as below (need to install gradle) :
gradle jettyRun -Dspring.security.disableUISecurity=true
If it succeeded to run, visit the "http://localhost:8080/sample". Then you will see the following page.
The texts highlighted with orange background will be hidden if it's false.
The authentication Tag
<sec:authentication property="principal.username" />
You can access the Authentication object in your MVC controller
(by calling SecurityContextHolder.getContext().getAuthentication()) and add the data
directly to your model for rendering by the view.
The accesscontrolllist Tag
<sec:accesscontrollist hasPermission="1,2" domainObject="${someObject}">
This will be shown if the user has all of the permissions represented by the values "1" or "2" on the
given object.
</sec:accesscontrollist>
The csrfInput Tag
If CSRF protection is enabled, this tag inserts a hidden form field with the correct name and value for
the CSRF protection token. If CSRF protection is not enabled, this tag outputs nothing.
Normally Spring Security automatically inserts a CSRF form field for any <form:form> tags you use,
but if for some reason you cannot use <form:form>, csrfInput is a handy replacement.
You should place this tag within an HTML <form></form> block, where you would normally place
other input fields. Do NOT place this tag within a Spring <form:form></form:form> block—Spring
Security handles Spring forms automatically.
<form method="post" action="/do/something">
<sec:csrfInput />
Name:<br />
<input type="text" name="name" />
...
</form>
The csrfMetaTags Tag
If CSRF protection is enabled, this tag inserts meta tags containing the CSRF protection token form
field and header names and CSRF protection token value. These meta tags are useful for employing
CSRF protection within JavaScript in your applications.
You should place csrfMetaTags within an HTML <head></head> block, where you would normally
place other meta tags. Once you use this tag, you can access the form field name, header name, and
token value easily using JavaScript. JQuery is used in this example to make the task easier.
<!DOCTYPE html>
<html>
<head>
<title>CSRF Protected JavaScript Page</title>
<meta name="description" content="This is the description for this page" />
<sec:csrfMetaTags />
<script type="text/javascript" language="javascript">
var csrfParameter = $("meta[name='_csrf_parameter']").attr("content");
var csrfHeader = $("meta[name='_csrf_header']").attr("content");
var csrfToken = $("meta[name='_csrf']").attr("content");
// using XMLHttpRequest directly to send an x-www-form-urlencoded request
var ajax = new XMLHttpRequest();
ajax.open("POST", "http://www.example.org/do/something", true);
ajax.setRequestHeader("Content-Type", "application/x-www-form-urlencoded data");
ajax.send(csrfParameter + "=" + csrfToken + "&name=John&...");
// using XMLHttpRequest directly to send a non-x-www-form-urlencoded request
var ajax = new XMLHttpRequest();
ajax.open("POST", "http://www.example.org/do/something", true);
ajax.setRequestHeader(csrfHeader, csrfToken);
ajax.send("...");
// using JQuery to send an x-www-form-urlencoded request
var data = {};
data[csrfParameter] = csrfToken;
data["name"] = "John";
...
$.ajax({
url: "http://www.example.org/do/something",
type: "POST",
data: data,
...
});
// using JQuery to send a non-x-www-form-urlencoded request
var headers = {};
headers[csrfHeader] = csrfToken;
$.ajax({
url: "http://www.example.org/do/something",
type: "POST",
headers: headers,
...
});
<script>
</head>
<body>
...
</body>
</html>
If CSRF protection is not enabled, csrfMetaTags outputs nothing.
References: spring-security-reference
Rss Feed