Need Spring security tag support for JSF/Facelets [SWF-1333]

[spring-operator]

Vigil Bose opened SWF-1333 and commented

Since Spring security already has support for using "auth" tag inside JSP's and the similar one does not exist for supporting JSF/Facelets view technology. It is cumbersome to go with a third party acegi-jsf components and hack them to make it work with Spring security 2.0.2. It would definitely add a lot of value to provide support of using Spring security tag in JSF/Facelets view technology.

---

Issue Links:

• Provide Facelets tags for Spring Security [SWF-1329] #1787 Provide Facelets tags for Spring Security
  ("duplicates")

25 votes, 19 watchers

[spring-operator]

bansi commented

spend whole day trying to figure out why Spring Security Tags 2.0.2 were not working whereas the sampe Tutorial shipped with there disturbution works perfectly fine.

After lots of debugging with Eclipse debugger, i figured out everything works perfect when i define Spring security tags works inside a JSP page. But if i define similar tags in Facelets xhtml file it doesnt work.

Here is the snippet which works fine

---

index.jsp

---

<%@ taglib prefix="sec" uri="http://www.springframework.org/security/tags" %>

<html>
<body>
<h1>Home Page</h1>
<p>
Your principal object is....: <%= request.getUserPrincipal() %>

Your Authentication Object is <sec:authentication property="principal.username"/>

</p>

Here is the snippet which doesnt work

---

index.xhtml

---

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"

xmlns:ui="http://java.sun.com/jsf/facelets"

xmlns:h="http://java.sun.com/jsf/html"

xmlns:f="http://java.sun.com/jsf/core"

xmlns:a4j="http://richfaces.org/a4j" xmlns:rich="http://richfaces.org/rich"

xmlns:s="http://myfaces.apache.org/sandbox"

xmlns:t="http://myfaces.apache.org/tomahawk"

xmlns:c="http://java.sun.com/jstl/core"

xmlns:sec="http://www.springframework.org/security/tags">

<body>

<ui:composition template="/WEB-INF/layout/layout.xhtml">

<ui:define name="title">

Admin - Manufacturer

</ui:define>

<ui:define name="content">

<f:view>

<h:form id="manufacturerForm">

<ui:include src="messages.xhtml"/>

<div>
<h1> Maintain Manufacturers </h1>
<h3>

Your Authentication Object is <sec:authentication property="principal.username"/>

</h3>

Any pointers/suggestions greatly appreciated

Regards

Bansi

[spring-operator]

marcin muras commented

Yes it's true in facelets environment this tag doesn't works.

It should be added in certainly but whats more facelets functions can be created.
Such functionality enable to use expression like this e.g. .. rendered="ifAnyGranted('some role')".

So we can use not only tags but also functions in EL expression.
I have implemented such functionality (by using source code from existing tag). (in reality tag logic should be extracted to some external classes so facelets functions impl. could use it)
How can I add this to Spring Security ?

[spring-operator]

Claude Gex commented

Crank has implemented the authorize tag as a facelet tag.
This may be interesting for several facelet developers - and may also be interesting for the spring core team (possibly the crank crew would be generous and spend the code to start with...).

See: http://code.google.com/p/krank/wiki/CrankSpringSecurityWebapp

Regards
Claude

[spring-operator]

Dominik Dorn commented

Hi,

I've created a simple jar file to easily integrate Spring Security and Facelets. You can even add it as maven dependency.

If you are interested in this, take a look at
[URL="http://www.dominikdorn.com/facelets/"] Using Spring Security with Facelets[/URL]

Greetings,
Dominik

[spring-operator]

Rossen Stoyanchev commented

Note that due to the package changes in Facelets between JSF 1.2 and JSF 2 you will need to register the Spring Security taglib by adding a springsecurity.taglib.xml appropriate for your version (details below). Also see the booking-faces sample, which contains the necessary configuration.

1. Add /WEB-INF/springsecurity.taglib.xml (substite class name with SpringSecurityJsf12TagLibrary for JSF 1.2):

<?xml version="1.0"?>
<!DOCTYPE facelet-taglib PUBLIC
"-//Sun Microsystems, Inc.//DTD Facelet Taglib 1.0//EN"
"http://java.sun.com/dtd/facelet-taglib_1_0.dtd">
<facelet-taglib>
<library-class>org.springframework.faces.security.SpringSecurityTagLibrary</library-class>
</facelet-taglib>
2. web.xml context parameter:

<context-param>
<param-name>javax.faces.FACELETS_LIBRARIES</param-name>
<param-value>/WEB-INF/springsecurity.taglib.xml</param-value>
</context-param>

---

A Spring Security Facelets tag library has been added with support for JSF 2 and JSF 1.2 environments. The library provides an <authorize> tag and also registers several authorization-related EL functions.

The <authorize> tag is functionally equivalent to the JSP <authorize> tag described in the Spring Security documentation. It supports the following combinations of attributes:

• access (authorization based on a Spring EL expression with Spring Security specific functions)
• url, method (authorize if the user is allowed to access the given URL and HTTP method pair)
• ifAllGranted, ifAnyGranted, ifNotGranted (authorize against a comma-separated lists of authorities)

All <authorize> tag attributes can be Unified EL expressions except the "access" attribute, which is expected to be a Spring EL expression. The "var" attribute can be used to store the result of the authorization for access in EL expressions in other parts of the view.

Use the following to add the tag library to a view ("sec" is recommended but not required):
xmlns:sec="http://www.springframework.org/security/tags"

Then use the <authorize> tag in the view:
<sec:authorize access="hasRole('ROLE_SUPERVISOR') and hasIpAddress('192.168.1.1/99')">
I can see this
</sec:authorize>

Note that in order to use Spring EL expressions you must add the "use-expressions" attribute in your Spring Security configuration:
<security:http auto-config="true" use-expressions="true">
...
</security:http>

The Spring Security Facelets tag library also provides the following EL functions:

• areAllGranted(String authorities)
• areAnyGranted(String authorities)
• areNotGranted(String authorities)
• isAllowed(String url, String method)

They can be used in any component attribute. For example:

<h:panelGroup id="bookingsFragment" rendered="#{sec:areAllGranted('ROLE_USER, ROLE_SUPERVISOR')}">
...
</h:panelGroup>

This functionality will be available in Spring Web Flow 2.2.0.RC1.