Monday, December 11, 2023

How to conditionally render view in JSP using Spring Security tag library? Example tutorial

One of the common requirement of secure Java application is to show and hide content based upon role of current user. For example, a logged in user can see his name e.g. Welcome User1 but that link is not visible to an unauthenticated user. Similarly, a user with admin role can see a lot of admin related functionality which should not be visible to a normal user e.g. add/remove users, disable users, create roles, edit roles etc. How can you achieve such condition based rendering in view? Does spring security support that? Well, the answer is Yes. Spring security provide a tag library which you can use in JSP pages to perform a lot of authentication and authorization related stuff e.g. you can access current user's name, you can access access current user's role and you can also conditionally show/hide certain section of views based upon user's role. 


Spring Security JSP tag library provides three useful tag accesscontrolist, authentication, and authorize which can be used to access security related information in a JSP page.

 The <security:authorize> tag can conditionally renders its body content if the user is granted certain authorities or if a SpEL expression evaluates to true. 

In order to use the Spring Security JSP tag library, you will need to include spring-security-web module into your application's classpath. If you are not using Maven, you can simply drop the spring-security-web.jar inside WEB-INF/lib folder. 

Once you include JAR file, you also need to import those tags in your JSP page using taglib directive as shown below:

<%@ taglib prefix="security" uri="https://www.springframework.org/security/tags" %>

This URI is used to load tags from the JAR file.  Here is a also a nice diagram to refresh your concepts on Spring security architecture.



How to show/hide sections of view using User role?

As I said, we can use the authorize tag from Spring Security's tag library to conditional render a portion of view. For example, if you have link to add/remove user you can put that HTML code under <security:authorize> tag and it will only be then rendered when the user has specified role. 

The role is specified using access attribute of <security:authorize> tag and you can either use plain role or Spring expression language SpEL expression to specify the condition. For example, below code will show admin link to a user which has admin role in application:

<security:authorize access="hasRole('ROLE_ADMIN')">
<a href = "<c:url value = "/admin" />">Admin</a>
</security:authorize>

In this case, the access attribute has a SpEL, whose result will determine if the code under authorize tag will be rendered or not. Here, the hasRole('ROLE_ADMIN') will return true only if current user has ROLE_ADMIN authority. 

The Spring expression language is very powerful and give you a lot of flexibility to conditional render the body of a JSP page. 

For example, if you some powerful functionalities for super users or let's say for a user name root, you can use following SpEL expression language to specify such condition:

<security:authorize access="isAuthenticated() and principal.username='root">
<a href = "<c:url value = "/superuser" />">SuperUser</a>
</security:authorize>

The principal contains currently authenticated user's details. 

So, you can see that it's easy to conditionally render portion of JSP page based upon whether user is logged in or not and their granted authorities or roles. 

Btw, all job is not done. Even though you have made sure that normal user doesn't see the admin URL there is no stopping if someone goes directly to that link by typing in browser address bar.  So far, you have only done conditional rendering, the URL itself is not secure, that's why it's not enough to just hide sections of JSP page. 

I'll talk about that in my next article how to secure URL in Spring Security, but if you can't wait, just go through Eugue Paraschiv's Learn Spring Security's Master class to learn spring security in detail. 


That's all about how to show and hide sections of JSP page using Spring Security tag library. Even though Spring Security tag library is small, just contain three tags, it is very powerful and gives you a lot of option to access user's authentication and authorization related information inside a JSP page. 

You can use the <authentication> tag to access current principal's username and other details and you can use <authorize> to conditionally render portions of a JSP page based upon current user's authentication state and their roles. 

The condition can also be specified using SpEL which gives you a lot of power to specify sophisticated conditions based upon your application's permission structure and security need. 

Thanks for reading this article so far. If you have any doubt or question on spring security feel free to ask in comments, and now one quiz for you, what is the current version of Spring security you are using production? 

No comments:

Post a Comment