I'm using the Spring security tags to determine if people are authenticated or have roles etc. For example
<sec:authorize access="hasRole('MANAGER')">
I'm struggling to see how to do conditional logic with this though. I want to say something like this (I made the last tags up):
<sec:authorize access="hasRole('MANAGER')">
Hello Mr Manager
</sec:authorize>
<sec:otherwise>
Hello Mr Non-Manager
</sec:otherwise>
Can anyone point me in the right direction please?
Thanks
I think you already solved this, but to finish the question:
Look at documentation at: Spring Security TagLib
And you can use this snippet:
<%# taglib prefix="sec" uri="http://www.springframework.org/security/tags"%>
<sec:authorize ifNotGranted="ROLE_USER">
Hello Mr. Anonymous
</sec:authorize>
<sec:authorize ifAllGranted="ROLE_USER" ifNotGranted="ROLE_MANAGER">
Hello Mr. User
</sec:authorize>
<sec:authorize ifAllGranted="ROLE_MANAGER">
Hello Mr. Manager
</sec:authorize>
Related
Using Spring Security we use hasAuthority to conditionally execute code or conditionally display parts of page in jsp.
eg:
#PreAuthorize("hasAuthority('ROLE_TELLER')")
public Account post(Account account, double amount);
}
or (in jsp)
<sec:authorize access="hasAuthority('TAG_SAVE')">
.... content to display / evaluate
</sec:authorize>
I wanted to know how to handle a case when you want to show / execute something when not having Authority.
may something like
doesNotHaveAuthority('TAG_SAVE')
I am pretty sure, this is not an out of the blue use-case.
Has anyone handle this in any way?
Actually found that this can use EL.
So Using a ! sign works.
So I got it work like this:
<sec:authorize access="!hasAuthority('TAG_SAVE')">
.... content to display / evaluate when the Authority is not present
</sec:authorize>
I'm trying to configure the SwitchUser feature of the Spring Security plugin and not having success. For the most part, it seems simple and strati-forward but after getting all the code in place and clicking 'switch' button, it just redirects me to default home url without making the switch.
Does anyone have more info than what already exists on the official Spring Security Core plugin site? I've been Goggling and reading everything remotely related to it and not finding any original info -- most everything is a copy of Beckwith and Talbott's original documentation.
The following is the code for my app:
Config.groovy
grails.plugins.springsecurity.useSwitchUserFilter = true
grails.plugins.springsecurity.interceptUrlMap = [
'/j_spring_security_switch_user': ['ROLE_SWITCH_USER', 'isFullyAuthenticated()'],
'/j_spring_security_exit_user': ['permitAll'],
]
I'm not sure if I should use interceptUrlMap or controllerAnnotations (?), or what criteria would determine which one to use.
The .gsp code:
<sec:ifLoggedIn>
Logged in as <sec:username/>
</sec:ifLoggedIn>
<sec:ifSwitched>
<a href='${request.contextPath}/j_spring_security_exit_user'>
Resume as <sec:switchedUserOriginalUsername/>
</a>
</sec:ifSwitched>
<sec:ifNotSwitched>
<sec:ifAllGranted roles='ROLE_SWITCH_USER'>
<form action='${request.contextPath}/j_spring_security_switch_user' method='POST'>
Switch to user: <input type='text' name='j_username'/><br/>
<input type='submit' value='Switch'/>
</form>
</sec:ifAllGranted>
</sec:ifNotSwitched>
I'm not aware of any other code or settings involved. Let me know if you need more info.
It turns out, all the code for SwitchUser was implemented correctly. Although SwitchUser still doesnt behave consistently, the problem was not with the code included in the question. We had problems with the implementation of roles in Grails.
I wish I had a better answer. I would still like to know more about SwitchUser -- more than what I've found with the Googles.
It seems like the filter only accept switching between users with the role ROLE_SWITCH_USER
I have a set of jQuery tabs. I only want some of these tags to show when they have the correct granted authority impl. Is it possible to check by using EL in the security tags, or do I need to add another role and check by that?
Yes, you can use EL:
<%# taglib prefix="sec" uri="http://www.springframework.org/security/tags" %>
<sec:authorize access="hasRole('authority_name_you_want_to_check_for')">
content conditional on having required authority
</sec:authorize>
I have a JSF 2 page based on Facelets and use Spring Security 3 behind the application. When I put some tags like this within my page:
<sec:authorize access="hasRole('SS')" >
<h:outputText value="X" /></sec:authorize>
the X will display at runtime anyway. The auto completion feature of eclipse work correctly to show the "sec:" tags and their properties at programming time. what's the problem?
Have you got:
<%# taglib prefix="sec" uri="http://www.springframework.org/security/tags" %>
at the top of the file?
Also, you need use-expressions="true" in the http tag in securityBeans.xml. Doing this means that any old style access="ROLE_BLAH" tags in securityBeans or wherever also need to change to use expressions.
I want to show logged in user in main decorator page.
i use :
<decorator:usePage id="myPage"/>
Logged in as:<%= myPage.getRequest().getUserPrincipal().getName()%>
<decorator:body/>
but not work!
You need to place the SiteMesh filter-mapping below the Spring Security filter mapping.
See: Spring security tags in sitemesh decorator
Haven't worked with SiteMesh for quite some time, but why aren't you using the implicit request object instead (I assume your pages are written in JSP, right?)
<%= request.getUserPrincipal().getName() %>
And what's exactly not working? Is an exception getting thrown?