Course – LSS – NPI (cat=Security/Spring Security)
announcement - icon

I just announced the new Learn Spring Security course, including the full material focused on the new OAuth2 stack in Spring Security:

>> CHECK OUT THE COURSE

1. Overview

In this tutorial, we’ll take a look at Spring Security Taglibs, which provides basic support for accessing security information and applying security constraints in JSPs.

2. Maven Dependencies

First of all, let’s add the spring-security-taglibs dependency to our pom.xml:

<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-taglibs</artifactId>
    <version>6.1.5</version>
</dependency>

3. Declaring the Taglibs

Now, before we can use the tags, we need to import the taglib at the top of our JSP file:

<%@ taglib prefix="sec" uri="http://www.springframework.org/security/tags" %>

After adding this, we’ll be able to specify Spring Security’s tags with the sec prefix.

4. The authorize Tag

4.1. access Expressions

In our applications, we might have information which should be shown only for certain roles or users.

When this is the case, we can use the authorize tag:

<sec:authorize access="!isAuthenticated()">
  Login
</sec:authorize>
<sec:authorize access="isAuthenticated()">
  Logout
</sec:authorize>

Furthermore, we can check if an authenticated user has specific roles:

<sec:authorize access="hasRole('ADMIN')">
    Manage Users
</sec:authorize>

And we can use any Spring Security expression as our value for access:

  • hasAnyRole(‘ADMIN’,’USER’) returns true if the current user has any of the listed roles
  • isAnonymous() returns true if the current principal is an anonymous user
  • isRememberMe() returns true if the current principal is a remember-me user
  • isFullyAuthenticated() returns true if the user is authenticated and is neither anonymous nor a remember-me user

4.2. url

Other than that, we can check for users who are authorized to send requests to the certain URLs:

<sec:authorize url="/userManagement">
    <a href="/userManagement">Manage Users</a>
</sec:authorize>

4.3. Debugging

There may be cases where we want more control over the UI, for example in testing scenarios. Instead of having Spring Security skip rendering these unauthorized sections, we can set spring.security.disableUISecurity=true in, say, our application.properties file.

When we do this, the authorize tag won’t hide its contents. Instead, it will wrap the content with <span class=”securityHiddenUI”>… </span> tags instead. Then, we can customize the rendering ourselves with some CSS.

Remember though that hiding content via CSS isn’t secure! The user can simply view the source to see unauthorized content.

5. The authentication Tag

At other times, we’ll want to display details about the logged in user, like saying something like “Welcome Back, Carol!” on the site.

For this, we use the authentication tag:

<sec:authorize access="isAuthenticated()">
    Welcome Back, <sec:authentication property="name"/>
</sec:authorize>

6. The csrfInput Tag

Hopefully, we have Spring Security’s CSRF defense enabled in our app!

If we do, then Spring Security already inserts a CSRF hidden form input inside <form:form> tags for us.

But in case we want to use <form> instead, we can manually indicate where Spring Security should place this hidden input field using csrfInput:

<form method="post" action="/do/something">
    <sec:csrfInput />
    Text Field:<br />
    <input type="text" name="textField" />
</form>

If CSRF protection is not enabled, this tag outputs nothing.

7. The csrfMetaTags Tag

Or, if we’re wanting to access the CSRF token in Javascript, we’ll probably want to insert the token as a meta tag.

We can do this with the csrfMetaTags tag:

<html>
    <head>
        <title>JavaScript with CSRF Protection</title>
        <sec:csrfMetaTags />
        <script type="text/javascript" language="javascript">
            var csrfParameter = $("meta[name='_csrf_parameter']").attr("content");
            var csrfHeader = $("meta[name='_csrf_header']").attr("content");
            var csrfToken = $("meta[name='_csrf']").attr("content");
        </script>
    </head>
    <body>
    ...
    </body>
</html>

Again, if CSRF protection isn’t enabled, this tag won’t output anything.

8. Conclusion

In this quick article, we focused on some common Spring Security taglib use-cases.

And, as we learned, they are very useful for rendering authentication and authorization-aware JSP content.

All examples, as always, can be found over on Github.

Course – LSS (cat=Security/Spring Security)

I just announced the new Learn Spring Security course, including the full material focused on the new OAuth2 stack in Spring Security:

>> CHECK OUT THE COURSE
res – Security (video) (cat=Security/Spring Security)
Comments are closed on this article!