Wednesday, 12 December 2012

URL Permission Based Security

Posted by Naveen Katiyar On 05:07 No comments

URL Permission Based User Interface Creation in Spring Security

In the previous tutorial, we learned how to customize jsp out put based on the role of the logged in user with the help of the Spring Security JSP Taglibs. Now, we will learn the way to customize the jsp page on the basis of a secure url. That means if the logged in user will have permission to visit the url specified in the taglib attribute, the particular jsp segment will be rendered otherwise, the segment will not shown to the user.
Think about the situation, when we are creating a common menu bar for the logged in users. The menu will contain link for the uses of admin as well as the customers. Some of the menu items are common to both users and some are specific to the admin or customer.
In such situation, we will use Url Permission Based User Interface Creation using Spring Security Taglibs. We will check if the user has permission to visit the menu url then the menu url will be shown to user otherwise menu link will not be shown.


The Tutorial is assuming that you have read following tutorials before reading this:
  1. Getting Started with Spring Security
  2. Role based Spring Security
Please read those tutorial or if you have prior knowledge of setting up Spring Security JSP Taglibs to use in jsp then you can continue with the tutorial.

Tools Used:
  • Spring MVC 3.0.3
  • Spring Security 3.0.5
  • Eclipse Indigo 3.7
  • Tomcat 6
  • Jdk 1.6

Tutorial Example and Explanation:

In our example, there are two users associated with the Spring Security Configuration: “admin” and “customer”. Both of them has different roles. But, the welcome page is the shared page between both the users where they are redirected after successful login. We have also two different urls “/admin/**” and “/users/**” configured in Spring Security Configuration file. Only admin user has rights to view pages under url “/admin/**” and only customer has permission to visit the url “/users/**”.

Spring Security Configuration file


<?xml version="1.0" encoding="UTF-8"?>
<b:beans xmlns="http://www.springframework.org/schema/security"
xmlns:b="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">
    <http realm="Project Realm" auto-config="true" use-expressions="true">
        <intercept-url pattern="/auth/**" filters="none"/>
        <intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN')"/>
        <intercept-url pattern="/users/**" access="hasRole('ROLE_USER')"/>
        <intercept-url pattern="/**" access="hasAnyRole('ROLE_ADMIN','ROLE_USER')"/>
        <form-login login-page="/auth/login.jsp" authentication-failure-url="/auth/login.jsp?login_error=1"/>
        <logout logout-success-url="/auth/login.jsp"/>
        <remember-me />
    </http>

    <authentication-manager>
       <authentication-provider>
           <user-service>
               <user name="admin" password="admin" authorities="ROLE_ADMIN"/>
               <user name="customer" password="customer" authorities="ROLE_USER"/>
           </user-service>
       </authentication-provider>
    </authentication-manager>

</b:beans>
 

We have modified our configuration file as specified above.


Welcome page to create url permission based jsp segments 


<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<%@ page session="true" %>
<%@ taglib uri="http://java.sun.com/jstl/core" prefix="c"%>
<%@ taglib uri="http://www.springframework.org/security/tags" prefix="sec"%>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Spring Security 3 JSP Taglibs- This is a secure page</title>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1251">
</head>
<body>
    <h1>Welcome!</h1><br />
    <sec:authorize url="/admin/*">
        This session will be visible to an admin only.<br/>
        You are an Administrator.<br/>
    </sec:authorize>
    <sec:authorize url="/users/*">
        This session will be visible to an Customer only.<br/>
        You are an Customer.<br/>
    </sec:authorize>
        ${HelloMessage}<br />
        <a href="<c:url value="/j_spring_security_logout"/>">Logout</a>
</body>
</html>
 

<sec:authorize url=”/admin/*”> : This means the jsp segment within <sec:authorize/> tag will only show to the logged in user if she/he has permission to view the pages under the url “/admin/*”.

So, if we login with the credentials of admin user we will message specific to the the admin only and same with the customer credentials.

Source code can be downloaded from previous tutorial and could be executed after
making above changes.

That's all for Spring Security Tutorial..... 

Happy Coding.
  

0 comments: