In this tutorial, we'll take a look at Spring Security Taglibs, which provides basic support for accessing security information and applying security constraints in JSPs.
2. Maven Dependencies
First of all, let’s add the spring-security-taglibs dependency to our pom.xml:
<dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-taglibs</artifactId> <version>5.2.2.RELEASE</version> </dependency>
3. Declaring the Taglibs
Now, before we can use the tags, we need to import the taglib at the top of our JSP file:
<%@ taglib prefix="sec" uri="http://www.springframework.org/security/tags" %>
After adding this, we'll be able to specify Spring Security's tags with the sec prefix.
4. The authorize Tag
4.1. access Expressions
In our applications, we might have information which should be shown only for certain roles or users.
When this is the case, we can use the authorize tag:
<sec:authorize access="!isAuthenticated()"> Login </sec:authorize> <sec:authorize access="isAuthenticated()"> Logout </sec:authorize>
Furthermore, we can check if an authenticated user has specific roles:
<sec:authorize access="hasRole('ADMIN')"> Manage Users </sec:authorize>
And we can use any Spring Security expression as our value for access:
- hasAnyRole(‘ADMIN','USER') returns true if the current user has any of the listed roles
- isAnonymous() returns true if the current principal is an anonymous user
- isRememberMe() returns true if the current principal is a remember-me user
- isFullyAuthenticated() returns true if the user is authenticated and is neither anonymous nor a remember-me user
Other than that, we can check for users who are authorized to send requests to the certain URLs:
<sec:authorize url="/userManagement"> <a href="/userManagement">Manage Users</a> </sec:authorize>
There may be cases where we want more control over the UI, for example in testing scenarios. Instead of having Spring Security skip rendering these unauthorized sections, we can set spring.security.disableUISecurity=true in, say, our application.properties file.
When we do this, the authorize tag won't hide its contents. Instead, it will wrap the content with <span class=”securityHiddenUI”>… </span> tags instead. Then, we can customize the rendering ourselves with some CSS.
Remember though that hiding content via CSS isn't secure! The user can simply view the source to see unauthorized content.
5. The authentication Tag
At other times, we'll want to display details about the logged in user, like saying something like “Welcome Back, Carol!” on the site.
For this, we use the authentication tag:
<sec:authorize access="isAuthenticated()"> Welcome Back, <sec:authentication property="name"/> </sec:authorize>
6. The csrfInput Tag
Hopefully, we have Spring Security's CSRF defense enabled in our app!
If we do, then Spring Security already inserts a CSRF hidden form input inside <form:form> tags for us.
But in case we want to use <form> instead, we can manually indicate where Spring Security should place this hidden input field using csrfInput:
<form method="post" action="/do/something"> <sec:csrfInput /> Text Field:<br /> <input type="text" name="textField" /> </form>
If CSRF protection is not enabled, this tag outputs nothing.
7. The csrfMetaTags Tag
We can do this with the csrfMetaTags tag:
Again, if CSRF protection isn't enabled, this tag won't output anything.
In this quick article, we focused on some common Spring Security taglib use-cases.
And, as we learned, they are very useful for rendering authentication and authorization-aware JSP content.
All examples, as always, can be found over on Github.