Spring Security JSF showing content depending on user role

Reading Time: 2 minutes

Spring is a very powerful framework, its security framework offers a splendid mechanism and security. It also integrates with other frameworks well too. In this post I’ll share an example of how you can show the content of a page depending on user’s role. I am assuming that you already have a spring security setup with spring security expressions are enabled in the config file. Now let’s start out;

1. create a file called “springsecurity.taglib.xml” underneath WEB-INF folder,

<?xml version="1.0"?>
<!DOCTYPE facelet-taglib PUBLIC
  "-//Sun Microsystems, Inc.//DTD Facelet Taglib 1.0//EN"
  "http://java.sun.com/dtd/facelet-taglib_1_0.dtd">
<facelet-taglib>
  <namespace>http://www.springframework.org/security/tags</namespace>
  <tag>
    <tag-name>authorize</tag-name>
    <handler-class>org.springframework.faces.security.FaceletsAuthorizeTagHandler</handler-class>
  </tag>
  <function>
    <function-name>areAllGranted</function-name>
    <function-class>org.springframework.faces.security.FaceletsAuthorizeTagUtils</function-class>
    <function-signature>boolean areAllGranted(java.lang.String)</function-signature>
  </function>
  <function>
    <function-name>areAnyGranted</function-name>
    <function-class>org.springframework.faces.security.FaceletsAuthorizeTagUtils</function-class>
    <function-signature>boolean areAnyGranted(java.lang.String)</function-signature>
  </function>
  <function>
    <function-name>areNotGranted</function-name>
    <function-class>org.springframework.faces.security.FaceletsAuthorizeTagUtils</function-class>
    <function-signature>boolean areNotGranted(java.lang.String)</function-signature>
  </function>
  <function>
    <function-name>isAllowed</function-name>
    <function-class>org.springframework.faces.security.FaceletsAuthorizeTagUtils</function-class>
    <function-signature>boolean isAllowed(java.lang.String, java.lang.String)</function-signature>
  </function>
</facelet-taglib>

2. Register the taglib file in the web.xml file,

<context-param>
    <param-name>javax.faces.FACELETS_LIBRARIES</param-name>
    <param-value>/WEB-INF/springsecurity.taglib.xml</param-value>
</context-param>

3. Include required dependencies,

<properties>
 <spring-security.version>3.1.2.RELEASE</spring-security.version>
 <spring-faces.version>2.4.1.RELEASE</spring-faces.version>
</properties>
<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-taglibs</artifactId>
    <version>${spring-security.version}</version>
    <scope>compile</scope>
</dependency>
<dependency>
    <groupId>org.springframework.webflow</groupId>
    <artifactId>spring-faces</artifactId>
    <version>${spring-faces.version}</version>
    <scope>compile</scope>
</dependency>

Now up to this point we are all set to use the implementation. From now on we can use this solution for;

a)Showing a nested content conditionally depending on roles and some other metrics;

<!DOCTYPE composition PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<ui:composition xmlns="http://www.w3.org/1999/xhtml"
  xmlns:ui="http://java.sun.com/jsf/facelets"
  xmlns:h="http://java.sun.com/jsf/html"
  xmlns:sec="http://www.springframework.org/security/tags">

  <sec:authorize ifAllGranted="ROLE_FOO, ROLE_BAR">
    Lorem ipsum dolor sit amet
  </sec:authorize>

  <sec:authorize ifNotGranted="ROLE_FOO, ROLE_BAR">
    Lorem ipsum dolor sit amet
  </sec:authorize>

  <sec:authorize ifAnyGranted="ROLE_FOO, ROLE_BAR">
    Lorem ipsum dolor sit amet
  </sec:authorize>

</ui:composition>

b)Using the role as a metric to hide/show some components depending on the role;

<!DOCTYPE composition PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<ui:composition xmlns="http://www.w3.org/1999/xhtml"
  xmlns:ui="http://java.sun.com/jsf/facelets"
  xmlns:h="http://java.sun.com/jsf/html"
  xmlns:sec="http://www.springframework.org/security/tags">

  <!-- Rendered only if user has all of the listed roles -->
  <h:outputText value="Lorem ipsum dolor sit amet" rendered="#{sec:areAllGranted('ROLE_FOO, ROLE_BAR')}"/>	
  
  <!-- Rendered only if user does not have any of the listed roles -->
  <h:outputText value="Lorem ipsum dolor sit amet" rendered="#{sec:areNotGranted('ROLE_FOO, ROLE_BAR')}"/>	
  
  <!-- Rendered only if user has any of the listed roles -->
  <h:outputText value="Lorem ipsum dolor sit amet" rendered="#{sec:areAnyGranted('ROLE_FOO, ROLE_BAR')}"/>	
  
  <!-- Rendered only if user has access to given HTTP method/URL as defined in Spring Security configuration -->
  <h:outputText value="Lorem ipsum dolor sit amet" rendered="#{sec:isAllowed('/secured/foo', 'POST')}"/>	

</ui:composition>

References

https://docs.spring.io/spring-webflow/docs/current/reference/html/spring-faces.html

http://docs.spring.io/autorepo/docs/webflow/2.3.x/reference/html/spring-faces.html#spring-faces-security-taglib

https://stackoverflow.com/a/15378140/1958683

http://keylesson.com/index.php/2015/06/18/spring-security-authorize-tag-example-1993/