Spring MVC Security JSP taglib example

Spring Security provides jsp taglibs for customizing User Interface according the authenticated user’s role. We can make it possible to show some user interface portion to user with role admin and not to others.

Including Spring Security JSP Taglib

We have to add Spring Security Taglib to our jsp file to use this feature of role based user interface modification:
<%@ taglib prefix="sec"
uri="http://www.springframework.org/security/tags"%>

Authorize tag in Spring Security taglib

Authorize tag is used for role based user interface creation. For example, if we want to create a jsp portion that will be visible to user with role “ROLE_ADMIN”, it will like following code:
<sec:authorize access="hasRole('ADMIN')">
 <label><a href="#">Edit this page</a> | This part is
visible only to ADMIN</label>
 </sec:authorize>
If we put this code to jsp, the message will be shown only to the users with role “ROLE_ADMIN”. access” attribute is used to specify the Spring Security EL Expression and if the expression returns true for the loged in user only then the HTML code within “<sec:authorize/>” tag will be shown to user. The expression in access attribute is send to WebSecurityExpressionHandler defined in the web context. So we have to add WebSecurityExpressionHandler to out security context. It can be done in two ways:
  • Use default WebSecurityExpressionHandler, which will be only available if we specify use-expressions=”true” in our Spring Security Configuration file under <http/> tag.
  • Register your WebSecurityExpressionHandler in Spring Security Configuration file.

Common built-in expressions

Following are the common expressions that can be used in access attribute of “<sec:authorize/>” tag:
  • hasRole([role]) : Returns true only if the login user has the role specified in [role].
  • hasAnyRole([role1,role2]) : Returns true only if the login user has atleast one role specified in [role1,role2]. The roles will be specified in comma separated format.
  • isAnonymous() : Returns true only is the login user is an anonymous user.
  • isAuthenticated() : Returns true if the user is not an anonymous user.
  • isFullyAuthenticated() : Returns true if the user is not an anonymous user or a remember me user.
  • isRememberMe() : Returns true if the user is a remember me user.
you can user previous post Spring MVC security with hibernate integration authentication example using Java configuration and just modify welcome.jsp user /WEB-INF/views folder as below:

you also need to put spring-security-taglibs-4.0.2.RELEASE.jar uder WEB-INF/lib

Modified welcome.jsp
<%@ page language="java" contentType="text/html;
charset=ISO-8859-1" pageEncoding="ISO-8859-1"%>
<%@ taglib prefix="c"
uri="http://java.sun.com/jsp/jstl/core"%>
<%@ taglib prefix="sec"
uri="http://www.springframework.org/security/tags"%>
<html>
<head>
 <meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
 <title>Welcome page</title>
</head>
<body>
 Dear <strong>${user}</strong>, Welcome to Home Page.
 <a href="<c:url value="/logout" />">Logout</a>
 
 <br/>
 <br/>
 <div>
 <label>View all information| This part is visible to Everyone</label>
 </div>
 
 <br/>
 <div>
 <sec:authorize access="hasRole('ADMIN')">
 <label><a href="#">Edit this page</a> | This part is
visible only to ADMIN</label>
 </sec:authorize>
 </div>
 <br/>
 <div>
 <sec:authorize access="hasRole('API')">
 <label><a href="#">Start backup</a> | This part is
visible only to one who has API rights.</label>
 </sec:authorize>
 </div>
 
 <br/>
 <div>
 <sec:authorize access="hasRole('ADMIN') and
hasRole('API')">
 <label><a href="#">Start backup</a> | This part is
visible only to one who is both ADMIN & API</label>
 </sec:authorize>
 </div>
</html>



Keep visiting TutorialsDesk for more tutorials and practical programming examples on Spring MVC. Hope we are able to explain you Spring MVC Security JSP taglib example, if you have any questions or suggestions please write to us using contact us form.

Please share us on social media if you like the tutorial.