Open spring-projects-issues opened 9 years ago
I've come up with a starting macro for this type of library below. @rwinch if we wanted to submit a pull request to start this could you give us some guidance on where it might be appropriate to live within the Spring Security ecosystem?
<#macro authorize ifAnyGranted> <#assign authorized = false> <#list Session["SPRING_SECURITY_CONTEXT"].authentication.authorities as authority> <#if authority == ifAnyGranted> <#assign authorized = true> </#if> </#list> <#if authorized> <#nested> </#if> </#macro>
Thanks!
I honestly think the first step is to ensure that this support is migrated to use objects that are populated on the request attributes. Then libraries can leverage those objects to ensure they get consistent results. View technologies that are fairly flexible could even just use the objects directly without needing a specific DSL this way.
@rwinch So the only reference I could find on how to get access to the Spring security information is here which mentions session but not request objects. Is there a better place to find out where they would be in the request and how to access them? Any example code that can be reviewed?
@rwinch I was wondering if you or anyone else could give some clues on how to do what you have mentioned here? As I said I could not find any good reference on where the request attributes that hold objects are.
I found that SPRING_SECURITY_CONTEXT was at the top level and was only available if somebody was logged in so I have altered @rob-baily 's script and is working for me. Hopefully might help somebody.
<#macro requiredRole Role> <#assign authorized = false> <#if SPRING_SECURITY_CONTEXT??> <#list SPRING_SECURITY_CONTEXT.authentication.authorities as authority> <#if authority == Role> <#assign authorized = true> </#if> </#list> </#if> <#if authorized> <#nested> </#if> </#macro>
<#macro authorize ifAnyGranted> <#assign authorized = false> <#list Session["SPRING_SECURITY_CONTEXT"].authentication.authorities as authority> <#if authority == ifAnyGranted> <#assign authorized = true> </#if> </#list> <#if authorized> <#nested> </#if> </#macro>
This macro helped allot, thanks.
I had this problem upgrading an old project from Spring 3 to Spring 6, by now we have no time to replace the technology used to render the views, so my solution for JSP security tags was rewrite them using FreeMarker macros:
<#ftl output_format="HTML" strip_whitespace=true>
<#--
* security.ftl
*
* This file consists of a collection of FreeMarker macros aimed at easing
* some of the common requirements of web applications - in particular
* handling of security.
-->
<#--
* isAnonymous
*
* Verifies if there is no a logged user.
-->
<#macro isAnonymous>
<#assign anonymous = true>
<#if SPRING_SECURITY_CONTEXT??>
<#assign anonymous = false>
</#if>
<#if anonymous>
<#nested>
</#if>
</#macro>
<#--
* isAuthenticated
*
* Checks if there is a logged user and he/she is authenticated.
-->
<#macro isAuthenticated>
<#assign authenticated = false>
<#if SPRING_SECURITY_CONTEXT??>
<#assign authentication = SPRING_SECURITY_CONTEXT.authentication
isUserAuthenticated = authentication.isAuthenticated()>
<#if isUserAuthenticated>
<#assign authenticated = true>
</#if>
</#if>
<#if authenticated>
<#nested>
</#if>
</#macro>
<#--
* hasRole
*
* Verifies if there is a logged user and he/she has the given role/authority.
*
* Example:
*
* <@security.hasRole role="ROLE_ADMIN">
* <br><span>User has the role: ROLE_ADMIN</span>
* </@security.hasRole>
*
* @param role
* The role and/or authority to verify
-->
<#macro hasRole role>
<#assign authorized = false>
<#if SPRING_SECURITY_CONTEXT?? && role??>
<#list SPRING_SECURITY_CONTEXT.authentication.authorities as authority>
<#if authority == role>
<#assign authorized = true>
</#if>
</#list>
</#if>
<#if authorized>
<#nested>
</#if>
</#macro>
<#--
* ifAnyGranted
*
* Checks if there is a logged user and he/she has one of the given roles/authorities.
*
* Example:
*
* <@security.ifAnyGranted roles="ROLE_ADMIN,ROLE_SUPERADMIN">
* <br><span>User has one of the roles: ROLE_ADMIN, ROLE_SUPERADMIN</span>
* </@security.ifAnyGranted>
*
* @param roles
* Roles and/or authorities separated by commas to verify
-->
<#macro ifAnyGranted roles>
<#assign authorized = false>
<#if SPRING_SECURITY_CONTEXT?? && roles??>
<#list SPRING_SECURITY_CONTEXT.authentication.authorities as authority>
<#list roles?split(",") as role>
<#if authority == role>
<#assign authorized = true>
</#if>
</#list>
</#list>
</#if>
<#if authorized>
<#nested>
</#if>
</#macro>
<#--
* ifNotGranted
*
* Checks if there is a logged user and he/she does not have any of the given roles/authorities.
*
* Example:
*
* <@security.ifNotGranted roles="ROLE_ADMIN,ROLE_SUPERADMIN">
* <br><span>User does not have any of the roles: ROLE_ADMIN, ROLE_SUPERADMIN</span>
* </@security.ifNotGranted>
*
* @param roles
* Roles and/or authorities separated by commas to verify
-->
<#macro ifNotGranted roles>
<#assign authorized = false>
<#if SPRING_SECURITY_CONTEXT?? && roles??>
<#assign authorized = true>
<#list SPRING_SECURITY_CONTEXT.authentication.authorities as authority>
<#list roles?split(",") as role>
<#if authority == role>
<#assign authorized = false>
</#if>
</#list>
</#list>
</#if>
<#if authorized>
<#nested>
</#if>
</#macro>
I added it to the file security.ftl and import it in a common ftl file using:
<#import "security.ftl" as security />
Angel D. Segarra (Migrated from SEC-3072) said:
Spring Framework Web MVC currently ships Freemarker and Velocity macro libraries along with the JSP taglib , but Spring security ships only a JSP taglib which leaves users of the other technologies without good options out of the box. To make matters worse JspTaglibs hash in Freemarker no longer works in Spring Boot. I am requesting support parity with at least Freemarker to match Spring Web MVC.