Spring Web Flow
  1. Spring Web Flow
  2. SWF-1333

Need Spring security tag support for JSF/Facelets

    Details

    • Type: New Feature New Feature
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Complete
    • Affects Version/s: None
    • Fix Version/s: 2.2.0.RC1
    • Component/s: JSF
    • Labels:
      None

      Description

      Since Spring security already has support for using "auth" tag inside JSP's and the similar one does not exist for supporting JSF/Facelets view technology. It is cumbersome to go with a third party acegi-jsf components and hack them to make it work with Spring security 2.0.2. It would definitely add a lot of value to provide support of using Spring security tag in JSF/Facelets view technology.

        Issue Links

          Activity

          Hide
          bansi added a comment -

          spend whole day trying to figure out why Spring Security Tags 2.0.2 were not working whereas the sampe Tutorial shipped with there disturbution works perfectly fine.

          After lots of debugging with Eclipse debugger, i figured out everything works perfect when i define Spring security tags works inside a JSP page. But if i define similar tags in Facelets xhtml file it doesnt work.

          Here is the snippet which works fine

          -------------

          index.jsp

          -------------

          <%@ taglib prefix="sec" uri="http://www.springframework.org/security/tags" %>

          <html>

          <body>

          <h1>Home Page</h1>

          <p>
          Your principal object is....: <%= request.getUserPrincipal() %>

          Your Authentication Object is <sec:authentication property="principal.username"/>

          </p>

          Here is the snippet which doesnt work

          ------------------

          index.xhtml

          -------------------

          <?xml version="1.0" encoding="UTF-8"?>

          <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

          <html xmlns="http://www.w3.org/1999/xhtml"

          xmlns:ui="http://java.sun.com/jsf/facelets"

          xmlns:h="http://java.sun.com/jsf/html"

          xmlns:f="http://java.sun.com/jsf/core"

          xmlns:a4j="http://richfaces.org/a4j" xmlns:rich="http://richfaces.org/rich"

          xmlns:s="http://myfaces.apache.org/sandbox"

          xmlns:t="http://myfaces.apache.org/tomahawk"

          xmlns:c="http://java.sun.com/jstl/core"

          xmlns:sec="http://www.springframework.org/security/tags">

          <body>

          <ui:composition template="/WEB-INF/layout/layout.xhtml">

          <ui:define name="title">

          Admin - Manufacturer

          </ui:define>

          <ui:define name="content">

          <f:view>

          <h:form id="manufacturerForm">

          <ui:include src="messages.xhtml"/>

          <div>

          <h1> Maintain Manufacturers </h1>

          <h3>

          Your Authentication Object is <sec:authentication property="principal.username"/>

          </h3>

          Any pointers/suggestions greatly appreciated

          Regards

          Bansi

          Show
          bansi added a comment - spend whole day trying to figure out why Spring Security Tags 2.0.2 were not working whereas the sampe Tutorial shipped with there disturbution works perfectly fine. After lots of debugging with Eclipse debugger, i figured out everything works perfect when i define Spring security tags works inside a JSP page. But if i define similar tags in Facelets xhtml file it doesnt work. Here is the snippet which works fine ------------- index.jsp ------------- <%@ taglib prefix="sec" uri="http://www.springframework.org/security/tags" %> <html> <body> <h1>Home Page</h1> <p> Your principal object is....: <%= request.getUserPrincipal() %> Your Authentication Object is <sec:authentication property="principal.username"/> </p> Here is the snippet which doesnt work ------------------ index.xhtml ------------------- <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:ui="http://java.sun.com/jsf/facelets" xmlns:h="http://java.sun.com/jsf/html" xmlns:f="http://java.sun.com/jsf/core" xmlns:a4j="http://richfaces.org/a4j" xmlns:rich="http://richfaces.org/rich" xmlns:s="http://myfaces.apache.org/sandbox" xmlns:t="http://myfaces.apache.org/tomahawk" xmlns:c="http://java.sun.com/jstl/core" xmlns:sec="http://www.springframework.org/security/tags"> <body> <ui:composition template="/WEB-INF/layout/layout.xhtml"> <ui:define name="title"> Admin - Manufacturer </ui:define> <ui:define name="content"> <f:view> <h:form id="manufacturerForm"> <ui:include src="messages.xhtml"/> <div> <h1> Maintain Manufacturers </h1> <h3> Your Authentication Object is <sec:authentication property="principal.username"/> </h3> Any pointers/suggestions greatly appreciated Regards Bansi
          Hide
          marcin muras added a comment -

          Yes it's true in facelets environment this tag doesn't works.

          It should be added in certainly but whats more facelets functions can be created.
          Such functionality enable to use expression like this e.g. .. rendered="ifAnyGranted('some role')".

          So we can use not only tags but also functions in EL expression.
          I have implemented such functionality (by using source code from existing tag). (in reality tag logic should be extracted to some external classes so facelets functions impl. could use it)
          How can I add this to Spring Security ?

          Show
          marcin muras added a comment - Yes it's true in facelets environment this tag doesn't works. It should be added in certainly but whats more facelets functions can be created. Such functionality enable to use expression like this e.g. .. rendered="ifAnyGranted('some role')". So we can use not only tags but also functions in EL expression. I have implemented such functionality (by using source code from existing tag). (in reality tag logic should be extracted to some external classes so facelets functions impl. could use it) How can I add this to Spring Security ?
          Hide
          Claude Gex added a comment -

          Crank has implemented the authorize tag as a facelet tag.
          This may be interesting for several facelet developers - and may also be interesting for the spring core team (possibly the crank crew would be generous and spend the code to start with...).

          See: http://code.google.com/p/krank/wiki/CrankSpringSecurityWebapp

          Regards
          Claude

          Show
          Claude Gex added a comment - Crank has implemented the authorize tag as a facelet tag. This may be interesting for several facelet developers - and may also be interesting for the spring core team (possibly the crank crew would be generous and spend the code to start with...). See: http://code.google.com/p/krank/wiki/CrankSpringSecurityWebapp Regards Claude
          Hide
          Dominik Dorn added a comment -

          Hi,

          I've created a simple jar file to easily integrate Spring Security and Facelets. You can even add it as maven dependency.

          If you are interested in this, take a look at
          [URL="http://www.dominikdorn.com/facelets/"] Using Spring Security with Facelets[/URL]

          Greetings,
          Dominik

          Show
          Dominik Dorn added a comment - Hi, I've created a simple jar file to easily integrate Spring Security and Facelets. You can even add it as maven dependency. If you are interested in this, take a look at [URL="http://www.dominikdorn.com/facelets/"] Using Spring Security with Facelets [/URL] Greetings, Dominik
          Hide
          Rossen Stoyanchev added a comment - - edited

          Note that due to the package changes in Facelets between JSF 1.2 and JSF 2 you will need to register the Spring Security taglib by adding a springsecurity.taglib.xml appropriate for your version (details below). Also see the booking-faces sample, which contains the necessary configuration.

          1. Add /WEB-INF/springsecurity.taglib.xml (substite class name with SpringSecurityJsf12TagLibrary for JSF 1.2):

          <?xml version="1.0"?>
          <!DOCTYPE facelet-taglib PUBLIC
          "-//Sun Microsystems, Inc.//DTD Facelet Taglib 1.0//EN"
          "http://java.sun.com/dtd/facelet-taglib_1_0.dtd">
          <facelet-taglib>
          <library-class>org.springframework.faces.security.SpringSecurityTagLibrary</library-class>
          </facelet-taglib>

          2. web.xml context parameter:

          <context-param>
          <param-name>javax.faces.FACELETS_LIBRARIES</param-name>
          <param-value>/WEB-INF/springsecurity.taglib.xml</param-value>
          </context-param>

          -----------------------------------

          A Spring Security Facelets tag library has been added with support for JSF 2 and JSF 1.2 environments. The library provides an <authorize> tag and also registers several authorization-related EL functions.

          The <authorize> tag is functionally equivalent to the JSP <authorize> tag described in the Spring Security documentation. It supports the following combinations of attributes:

          • access (authorization based on a Spring EL expression with Spring Security specific functions)
          • url, method (authorize if the user is allowed to access the given URL and HTTP method pair)
          • ifAllGranted, ifAnyGranted, ifNotGranted (authorize against a comma-separated lists of authorities)

          All <authorize> tag attributes can be Unified EL expressions except the "access" attribute, which is expected to be a Spring EL expression. The "var" attribute can be used to store the result of the authorization for access in EL expressions in other parts of the view.

          Use the following to add the tag library to a view ("sec" is recommended but not required):
          xmlns:sec="http://www.springframework.org/security/tags"

          Then use the <authorize> tag in the view:
          <sec:authorize access="hasRole('ROLE_SUPERVISOR') and hasIpAddress('192.168.1.1/99')">
          I can see this
          </sec:authorize>

          Note that in order to use Spring EL expressions you must add the "use-expressions" attribute in your Spring Security configuration:
          <security:http auto-config="true" use-expressions="true">
          ...
          </security:http>

          The Spring Security Facelets tag library also provides the following EL functions:

          • areAllGranted(String authorities)
          • areAnyGranted(String authorities)
          • areNotGranted(String authorities)
          • isAllowed(String url, String method)

          They can be used in any component attribute. For example:

          <h:panelGroup id="bookingsFragment" rendered="#

          {sec:areAllGranted('ROLE_USER, ROLE_SUPERVISOR')}

          ">
          ...
          </h:panelGroup>

          This functionality will be available in Spring Web Flow 2.2.0.RC1.

          Show
          Rossen Stoyanchev added a comment - - edited Note that due to the package changes in Facelets between JSF 1.2 and JSF 2 you will need to register the Spring Security taglib by adding a springsecurity.taglib.xml appropriate for your version (details below). Also see the booking-faces sample, which contains the necessary configuration. 1. Add /WEB-INF/springsecurity.taglib.xml (substite class name with SpringSecurityJsf12TagLibrary for JSF 1.2): <?xml version="1.0"?> <!DOCTYPE facelet-taglib PUBLIC "-//Sun Microsystems, Inc.//DTD Facelet Taglib 1.0//EN" "http://java.sun.com/dtd/facelet-taglib_1_0.dtd"> <facelet-taglib> <library-class>org.springframework.faces.security.SpringSecurityTagLibrary</library-class> </facelet-taglib> 2. web.xml context parameter: <context-param> <param-name>javax.faces.FACELETS_LIBRARIES</param-name> <param-value>/WEB-INF/springsecurity.taglib.xml</param-value> </context-param> ----------------------------------- A Spring Security Facelets tag library has been added with support for JSF 2 and JSF 1.2 environments. The library provides an <authorize> tag and also registers several authorization-related EL functions. The <authorize> tag is functionally equivalent to the JSP <authorize> tag described in the Spring Security documentation. It supports the following combinations of attributes: access (authorization based on a Spring EL expression with Spring Security specific functions) url, method (authorize if the user is allowed to access the given URL and HTTP method pair) ifAllGranted, ifAnyGranted, ifNotGranted (authorize against a comma-separated lists of authorities) All <authorize> tag attributes can be Unified EL expressions except the "access" attribute, which is expected to be a Spring EL expression. The "var" attribute can be used to store the result of the authorization for access in EL expressions in other parts of the view. Use the following to add the tag library to a view ("sec" is recommended but not required): xmlns:sec="http://www.springframework.org/security/tags" Then use the <authorize> tag in the view: <sec:authorize access="hasRole('ROLE_SUPERVISOR') and hasIpAddress('192.168.1.1/99')"> I can see this </sec:authorize> Note that in order to use Spring EL expressions you must add the "use-expressions" attribute in your Spring Security configuration: <security:http auto-config="true" use-expressions="true"> ... </security:http> The Spring Security Facelets tag library also provides the following EL functions: areAllGranted(String authorities) areAnyGranted(String authorities) areNotGranted(String authorities) isAllowed(String url, String method) They can be used in any component attribute. For example: <h:panelGroup id="bookingsFragment" rendered="# {sec:areAllGranted('ROLE_USER, ROLE_SUPERVISOR')} "> ... </h:panelGroup> This functionality will be available in Spring Web Flow 2.2.0.RC1.

            People

            • Assignee:
              Rossen Stoyanchev
              Reporter:
              Vigil Bose
            • Votes:
              25 Vote for this issue
              Watchers:
              19 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development