3. Implementation/Spring

Spring Security JSP Tag Libraries

SSKK 2015. 4. 15. 23:34

Declaring the Taglib


<%@ taglib prefix="sec" uri="http://www.springframework.org/security/tags" %>


The authorize Tag


<sec:authorize access="hasRole('supervisor')">

This content will only be visible to users who have the "supervisor" authority in their list

of <tt>GrantedAuthority</tt>s.

</sec:authorize>


<sec:authorize access="hasPermission(#domain,'read') or hasPermission(#domain,'write')">

This content will only be visible to users who have read or write permission to the Object found as a

request attribute named "domain".

</sec:authorize>


<sec:authorize url="/admin">

This content will only be visible to users who are authorized to send requests to the "/admin" URL.

</sec:authorize>


Disabling Tag Authorization for Testing


If you set the system property spring.security.disableUISecurity to true, the authorize tag will still run but will not hide its contents. By default it will also surround the content with <span class="securityHiddenUI">…</span> tags. This allows you to display "hidden" content with a particular CSS style such as a different background colour. Try running the "tutorial" sample  application with this property enabled, for example.


This can be tested by using the following sample:



tutorial-xml.zip


After downloading it, type the command as below (need to install gradle) :


gradle jettyRun -Dspring.security.disableUISecurity=true


If it succeeded to run, visit the "http://localhost:8080/sample". Then you will see the following page. 





The texts highlighted with orange background will be hidden if it's false.


The authentication Tag


<sec:authentication property="principal.username" />


You can access the Authentication object in your MVC controller

(by calling SecurityContextHolder.getContext().getAuthentication()) and add the data

directly to your model for rendering by the view.


The accesscontrolllist Tag


<sec:accesscontrollist hasPermission="1,2" domainObject="${someObject}">

This will be shown if the user has all of the permissions represented by the values "1" or "2" on the

given object.

</sec:accesscontrollist>



The csrfInput Tag


If CSRF protection is enabled, this tag inserts a hidden form field with the correct name and value for

the CSRF protection token. If CSRF protection is not enabled, this tag outputs nothing.

Normally Spring Security automatically inserts a CSRF form field for any <form:form> tags you use,

but if for some reason you cannot use <form:form>, csrfInput is a handy replacement.

You should place this tag within an HTML <form></form> block, where you would normally place

other input fields. Do NOT place this tag within a Spring <form:form></form:form> block—Spring

Security handles Spring forms automatically.


<form method="post" action="/do/something">

<sec:csrfInput />

Name:<br />

<input type="text" name="name" />

...

</form>


The csrfMetaTags Tag


If CSRF protection is enabled, this tag inserts meta tags containing the CSRF protection token form

field and header names and CSRF protection token value. These meta tags are useful for employing

CSRF protection within JavaScript in your applications.


You should place csrfMetaTags within an HTML <head></head> block, where you would normally

place other meta tags. Once you use this tag, you can access the form field name, header name, and

token value easily using JavaScript. JQuery is used in this example to make the task easier.


<!DOCTYPE html>

<html>

<head>

<title>CSRF Protected JavaScript Page</title>

<meta name="description" content="This is the description for this page" />

<sec:csrfMetaTags />

<script type="text/javascript" language="javascript">

var csrfParameter = $("meta[name='_csrf_parameter']").attr("content");

var csrfHeader = $("meta[name='_csrf_header']").attr("content");

var csrfToken = $("meta[name='_csrf']").attr("content");

// using XMLHttpRequest directly to send an x-www-form-urlencoded request

var ajax = new XMLHttpRequest();

ajax.open("POST", "http://www.example.org/do/something", true);

ajax.setRequestHeader("Content-Type", "application/x-www-form-urlencoded data");

ajax.send(csrfParameter + "=" + csrfToken + "&name=John&...");

// using XMLHttpRequest directly to send a non-x-www-form-urlencoded request

var ajax = new XMLHttpRequest();

ajax.open("POST", "http://www.example.org/do/something", true);

ajax.setRequestHeader(csrfHeader, csrfToken);

ajax.send("...");

// using JQuery to send an x-www-form-urlencoded request

var data = {};

data[csrfParameter] = csrfToken;

data["name"] = "John";

...

$.ajax({

url: "http://www.example.org/do/something",

type: "POST",

data: data,

...

});

// using JQuery to send a non-x-www-form-urlencoded request

var headers = {};

headers[csrfHeader] = csrfToken;

$.ajax({

url: "http://www.example.org/do/something",

type: "POST",

headers: headers,

...

});

<script>

</head>

<body>

...

</body>

</html>


If CSRF protection is not enabled, csrfMetaTags outputs nothing.


References: spring-security-reference