I have a new project and I want to implement spring-security along with other components of spring framekwork.
I plan to implement spring security into 2 levels, Request URL-level and view-level
For Request URL-Level, I'd use the <intercept-url> tag to restrict URL access only for authorized users.
For View-Level security, I'll use it into two parts of the application;
For the web app menu to restrict menus for users who authorized to.
And inside the pages to restrict some parts of the page for users who authorized to.
The confusion I had is regarding implement spring security for menu links.
Hence I need to use spring taglibs <authorize> tag's url attribute (to reuse<intercept-url> patterns/access combination) , then I'll need to write menu links by hand like this:
<security:authorize url="/admin/superadmin/**" >
Super admin page
</security:authorize>
Where I've the following intercept url rule:
<intercept-url pattern="/admin/superadmin/**" access="hasRole('ROLE_SUPER_ADMIN')" />
The point is, I have all the rules in the Database table, and I want to draw links dynamically based on the roles/links saved in the table.
So, the question is how to draw menu links dynamically, and at the same time still use the <authorize> taglib?
The <authorize> tag can do what you need automatically. I assume your menu JSP looks like (without the security part) :
<c:foreach items="${menus}" var="menu">
<a href=${menu.url}>${menu.label}</a>
</c:foreach>
You can simply add security that way :
<c:foreach items="${menus}" var="menu">
<security:authorize url=${menu.url}>
<a href=${menu.url}>${menu.label}</a>
</security:authorize>
</c:foreach>
The Spring security reference manual says that as you use the namespace the authorize tags creates a dummy web request for the supplied URL and invokes the security interceptor to see whether the request would succeed or fail. This allows you to delegate to the access-control setup you defined using intercept-url declarations within the namespace configuration and saves having to duplicate the information (such as the required roles) within your JSPs
Related
I'm migrating a Play! 1.2 web application and moving to Spring Boot + Spring MVC. Some views contain URLs to other endpoints. For example, I display the book title on the page and next to it I want to add the URL to go the book's details page (e.g. localhost/books/{id}).
In Play! 1.2 the controllers are static, and there is also a Router which can create the full URL for a method belonging to another controller (Router.getFullUrl("BookController.bookDetails", args)), but how do I achieve this with Spring MVC?
Best regards,
Cristian.
If you are trying to get the app/deployed name automatically in .jsp files to make the urls, then please make use of context path. An example below :
<c:set var="context" value="${pageContext.request.contextPath}" />
<script src="${context}/themes/js/jquery.js"></script>
From your requirement "admin.myapp.com","admin-test.myapp.com" are server names right? Something like http://admin.myapp.com/book/{bookId},http://admin-test.myapp.com/book/{bookId}. In Spring app, relative path in jsp can be accessed using pageContext.request.contextPath
I also found the UriComponentsBuilder and ServletUriComponentsBuilder. They are similar to the Play! Framework router and provide methods for building URI's, handling parameters and the query etc. We chose to annotate the controllers' methods using constants and then use the same constants with the UriComponentsBuilder to build back the path and create the request query for GET requests.
In my application, after a user is logged in, every time he sends a request (get/post), before calling the method in controller, i want to verify the session attribute set in the request (i set a session attribute during his login). I see that this can be implemented through spring interceptors (OR) spring AOP. which one should i use?. I have a feeling interceptors are outdated. Or is there a way in spring security which does this for me?
So you want this intercept to happen only for all the controller methods ..? Does the controller have Base URL that its getting invoked for (post/get/delete)...? Is it more like you want to intercept the http request for a particualt URL ..? like this one
<intercept-url pattern="/styles/**" filters=" .." />
If your use case is boiled down to a particular URL pattern then you can write a custom filter extending GenericFilterBean and you can plug it to the filters attribute.So this will get called for every request matching url pattern and in your custom filter you can do whatever you wanted to do.
What if you try implementing a simple Filter? You can extend already existing Spring filter, or create your own by implementing javax.servlet.Filter
The spring security way seems the best way to me with access to specific roles also can be assigned. very good example given in http://www.mkyong.com/spring-security/spring-security-form-login-using-database/
I'm pretty new to spring, let along spring security, and I've been looking at the Schema files and noticed a <jee> tag that appears under the <http> tag which acts like some sort of preauth filter magic. Using the mappable-roles attribute, I can get the role that I want but, when I specify a different user-service-ref attribute, specifying a UserDetailsService object, I lose the role.
My guess is because when I specify the UserDetailsService object, Spring assumes I don't need the role anymore... but I do!
Any ideas on this? Can I capture those details somehow? If not with this simple <jee> tag, what does the jee tag expand to for custom-filters and pre-auth, etc?
The <jee> tag creates (among others) a PreAuthenticatedAuthenticationProvider bean which delegates to a configured strategy for loading user details.
The default implementation of this strategy is PreAuthenticatedGrantedAuthoritiesUserDetailsService which will simply copy the roles it finds in the authentication token.
By overriding this default strategy with your custom UserDetailsService using the user-service-ref attribute you take the responsibility for assigning roles to the user. If you want to keep the default behavior regarding user roles, you can simply copy the related line from the above mentioned class, as the Java EE roles are still mapped, and are accessible in the auth token to your own code as well.
In my web application I am using Spring login form (with Spring-security). By default the login form has the fields j_username and j_password. I need to add one more element(checkbox for Terms&Conditions). The current code doesn't have LoginForm as well as LoginController since Spring is internally handling it.
Can anyone please tell how to handle/override this?
I have seen this link Spring security custom login page
But I need to add the new element in LoginForm (which is not existing currently) - where I need to add this new element(in Form - .java file)
Also should I write a new controller (LoginController) or can I use any existing filter as given here? http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#filter-stack
Does the user just have to check the box in order to procede, or does it bind to a backing model object.
If it's the former, I'd just handle it through javascript. If the latter, the easiest way would probably be implementing an Authentication Filter, this area of the documentation might help:
http://static.springsource.org/spring-security/site/docs/3.0.x/reference/core-web-filters.html#form-login-filter
I'm trying to show a login box in my page only if the user is not authenticated yet.
I'm using Spring Security 3.0.
Do I have to check inside the view (JSP page) through some value I set on the model while processing the request in the Controller or is there another way to achieve this?
Checking inside the JSP seems the most straightforward here. The Spring Security taglib lets you do just that.
See http://static.springsource.org/spring-security/site/docs/3.0.x/reference/taglibs.html