Using the Spring Security Facelets Tag Library

I know, it’s hard to use the Spring Security Facelets Tag Library, the namespace is always invalid, not working etc. Search no more…

Here is what you need to do:

Make sure you have these dependencies in your POM.xml

<dependency>
     <groupId>org.springframework.webflow</groupId>
     <artifactId>spring-webflow</artifactId>
     <version>2.4.0.RELEASE</version>
</dependency>

<dependency>
     <groupId>org.springframework.webflow</groupId>
     <artifactId>spring-faces</artifactId>
     <version>2.4.0.RELEASE</version>
</dependency>

To use the library you’ll need to create a .taglib.xml file and register it in web.xml.

Create the file /WEB-INF/springsecurity.taglib.xml with the following content:

<?xml version="1.0"?>
<!DOCTYPE facelet-taglib PUBLIC
"-//Sun Microsystems, Inc.//DTD Facelet Taglib 1.0//EN"
"http://java.sun.com/dtd/facelet-taglib_1_0.dtd">
<facelet-taglib>
    <namespace>http://www.springframework.org/security/tags</namespace>
    <tag>
       <tag-name>authorize</tag-name>
       <handler-class>org.springframework.faces.security.FaceletsAuthorizeTagHandler</handler-class>
    </tag>
    <function>
        <function-name>areAllGranted</function-name>
        <function-class>org.springframework.faces.security.FaceletsAuthorizeTagUtils</function-class>
        <function-signature>boolean areAllGranted(java.lang.String)      </function-signature>
    </function>
    <function>
        <function-name>areAnyGranted</function-name>
    <function-class>org.springframework.faces.security.FaceletsAuthorizeTagUtils</function-class>
        <function-signature>boolean areAnyGranted(java.lang.String)     </function-signature>
    </function>
    <function>
       <function-name>areNotGranted</function-name>
    <function-class>org.springframework.faces.security.FaceletsAuthorizeTagUtils</function-class>
       <function-signature>boolean areNotGranted(java.lang.String)</function-signature>
    </function>
   <function>
       <function-name>isAllowed</function-name>
   <function-class>org.springframework.faces.security.FaceletsAuthorizeTagUtils</function-class>
        <function-signature>boolean isAllowed(java.lang.String, java.lang.String)</function-signature>
    </function>
</facelet-taglib>

Next, register the above file taglib in web.xml:

<context-param>
   <param-name>javax.faces.FACELETS_LIBRARIES</param-name>
   <param-value>/WEB-INF/springsecurity.taglib.xml</param-value>
</context-param>

Now you are ready to use the tag library in your views. You can use the authorize tag to include nested content conditionally:

<!DOCTYPE composition PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<ui:composition xmlns="http://www.w3.org/1999/xhtml"
 xmlns:ui="http://java.sun.com/jsf/facelets"
 xmlns:h="http://java.sun.com/jsf/html"
 xmlns:sec="http://www.springframework.org/security/tags">

 <sec:authorize ifAllGranted="ROLE_FOO, ROLE_BAR">
 Lorem ipsum dolor sit amet
 </sec:authorize>

 <sec:authorize ifNotGranted="ROLE_FOO, ROLE_BAR">
 Lorem ipsum dolor sit amet
 </sec:authorize>

 <sec:authorize ifAnyGranted="ROLE_FOO, ROLE_BAR">
 Lorem ipsum dolor sit amet
 </sec:authorize>

</ui:composition>

You can also use one of several EL functions in the rendered or other attribute of any JSF component:

<!DOCTYPE composition PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<ui:composition xmlns="http://www.w3.org/1999/xhtml"
     xmlns:ui="http://java.sun.com/jsf/facelets"
     xmlns:h="http://java.sun.com/jsf/html"
     xmlns:sec="http://www.springframework.org/security/tags">

     <!-- Rendered only if user has all of the listed roles -->
     <h:outputText value="Lorem ipsum dolor sit amet" rendered="#{sec:areAllGranted('ROLE_FOO, ROLE_BAR')}"/>

     <!-- Rendered only if user does not have any of the listed roles -->
     <h:outputText value="Lorem ipsum dolor sit amet" rendered="#{sec:areNotGranted('ROLE_FOO, ROLE_BAR')}"/>

     <!-- Rendered only if user has any of the listed roles -->
     <h:outputText value="Lorem ipsum dolor sit amet" rendered="#{sec:areAnyGranted('ROLE_FOO, ROLE_BAR')}"/>

     <!-- Rendered only if user has access to given HTTP method/URL as defined in Spring Security configuration -->
     <h:outputText value="Lorem ipsum dolor sit amet" rendered="#{sec:isAllowed('/secured/foo', 'POST')}"/>

</ui:composition>

And that’s it! Everything should work properly. Depending on your project, you may have dependency to the spring security taglibs so make sure you have that also in your pom.

And that’s the way the cookie crumbles!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s