Authorization deals with controlling access to secure resources. In Spring Security 3 authorization in general is heavily slanted toward the use of security expressions. This is one of the major differences between Spring Security 2 and 3.
For web authorization, expressions allow us to create access rules in terms of user characteristics such as authentication status, user roles, and the user's IP address.
Spring Security supports two flavors of web authorization. The first uses the web security expressions just described to control access to application URLs—or, optionally—URL/HTTP method pairs. The second involves showing or hiding JSP content using the Spring Security tag library. We’ll examine both.
Authorizing Web URLs
Activate expression-based web URL authorization as follows:
<http auto-config="true" use-expressions="true">
Then implement access rules for URLs by adding <intercept-url> children directly under the <http> element. The <intercept-url> attributes are as follows:
Attribute |
Description |
Required |
pattern |
URL pattern to match. Uses Ant syntax by default (e.g. * and ** wildcards) but regex is supported as well. |
Yes |
method |
Optional HTTP method to narrow the match |
No |
access |
When expressions are activated, this contains the security expression to apply to the URL and (if applicable) HTTP method. Legacy behavior is to store a comma-delimited list of user roles. |
No |
filters |
Only possible value is “none”, which indicates that the request is to bypass the Spring Security filter chain. The request will have no SecurityContext. This is mostly for static resources like images, JavaScript, CSS and so forth. |
No |
requires-channel |
Can be either “http” or “https”. |
No |
Rules are processed in order, so the first pattern/method match determines which security expression will be used to make the access decision. Therefore, place more specific patterns before more general patterns.
Implement a whitelist by placing a <intercept-url pattern="/**" access="denyAll" /> at the end of the list of rules.
Examples
Exclude images from being intercepted:
<intercept-url pattern=”/images/**” filters=”none” />
Allow all users to see the home page:
<intercept-url pattern=”/home” method=”GET” access=”permitAll” />
Only unauthenticated users can register a new account (RESTful URI/method):
<intercept-url pattern=”/users” method=”POST” access=”isAnonymous()” />
Only students or administrators can enter the student lounge:
<intercept-url pattern=”/lounges/student” method=”GET”
access=”hasAnyRole(‘student’, ‘admin’)” />
Authorizing JSP Content Based on User Characteristics
Activate expression-based web URL authorization as follows:
<%@ taglib prefix="security"
uri="http://www.springframework.org/security/tags" %>
The tag library has three tags:
Tag |
Description |
<security:authentication> |
Exposes the current Authentication object to the JSP. |
<security:authorize> |
Shows or hides the tag body according to whether the current principal satisfies a specified condition. |
<security:accesscontrollist> |
Shows or hides the tag body according to whether the current principal has a specified permission on the specified domain object. |
We'll go over the first two tags now, and postpone the third until after we've covered domain objects and ACLs.
<security:authentication>
This tag exposes the current Authentication object to the JSP, either for creating variables or for display. Its attributes:
Tag Attribute |
Description |
Required |
property |
Specifies a property on the Authentication object. Use dot notation to access nested properties (e.g., principal.username). |
Yes |
var |
Variable name if you want to store the property value instead of displaying it. |
No |
scope |
Optional variable scope if you want to store the property value instead of displaying it. Default is page scope. |
No |
Examples
We're usually interested in the user principal. Here's how to greet a user by username if our principal implements the UserDetails interface. (By default, principals implement UserDetails.)
<p>Hi <security:authentication property=”principal.username” /></p>
Tell a user that his account has been locked, again assuming we're using a UserDetails principal:
<security:authentication var=”principal” property=”principal” />
<c:if test=”${!principal.accountNonLocked}”>
<p>Sorry, your account has been locked.</p>
</c:if>
See the Javadocs for Spring Security's UserDetails interface for more information on the properties it exposes.
We can use <security:authentication> to access properties on a custom principal, whether a UserDetails implementation or not. For instance, here's a more user-friendly greeting:
<p>Hi <security:authentication property=”principal.firstName” /></p>
<security:authorize>
The <security:authorize> tag shows or hides its body according to whether the current principal satisfies a condition we select.
Tag Attribute |
Description |
Required |
access |
Display tag body iff the access expression is true. Uses the web security expressions described earlier in the Refcard. |
No |
url |
Specifies an app URL such that the tag displays the tag body only if the user has access to the URL |
No |
method |
Optionally narrow URL to a specific HTTP method (e.g., GET, POST, PUT, DELETE) when doing URL-based authorization. |
No |
ifNotGranted |
Comma-delimited list of roles such that the tag body shows iff the user has none of the roles. Deprecated; use the access attribute instead. |
No |
ifAllGranted |
Comma-delimited list of roles such that the tag body shows iff the user has all of the roles. Deprecated; use the access attribute instead. |
No |
ifAnyGranted |
Comma-delimited list of roles such that the tag body shows iff the user has at least one of the roles. Deprecated; use the access attribute instead. |
No |
Examples
Show a login link iff the user is unauthenticated (or, strictly, is "anonymously authenticated" in Spring Security):
<security:authorize access="isAnonymous()">
<a href="${loginUrl}">Log in</a>
</security:authorize>
Show a gradebook link if the user has the instructor role:
<security:authorize access="hasRole('instructor')">
<a href="${gradebookUrl}">Gradebook</a>
</security:authorize>
Alternatively:
<security:authorize url="/main/gradebook" method="GET">
<a href="${gradebookUrl}">Gradebook</a>
</security:authorize>
Show a logout link iff the user is authenticated:
<security:authorize access="isAuthenticated()">
<a href="${logoutUrl}">Log out</a>
</security:authorize>
Using URL and method allows us to reuse access rules defined in the application context, but we have to repeat the URL.
With that, we're done with the left half of our road map. The next topic is domain objects and ACLs.
{{ parent.title || parent.header.title}}
{{ parent.tldr }}
{{ parent.linkDescription }}
{{ parent.urlSource.name }}