Reputation: 907
How to secure an included page with Spring security
Assuming I have a main.jsp which include another protected page
<%
RequestDispatcher rd = request.getRequestDispatcher("secure/protected.jsp");
rd.include(request, response);
%>
<http auto-config="true" once-per-request="true">
<intercept-url pattern="/secure/**" access="ROLE_SUPERVISOR" />
....
</http>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>INCLUDE</dispatcher>
<dispatcher>FORWARD</dispatcher>
</filter-mapping>
Currently, what I found are:
- Spring security filter is actually invoked.
- protected.jsp is still displayed in main.jsp. (but I expect protected.jsp will be blocked by spring security)
I have read related discussions: Spring Security Allows Unauthorized User Access to Restricted URL from a Forward
is it possible to secure an included jsp? If not, why? I guess reason is when we use request dispatcher, we still pass original request, so spring security filter only knows original request path (main.jsp) and don't know target included path (protectected.jsp). Therefore, it doesn't block the inclusion of protectected.jsp
but it doesn't work. I use Spring security 3.1.2.
Upvotes: 2
Views: 1089
Answers (2)
Reputation:
Including a JSP basically means inlining the content of another JSP into the current output (html) document. As san-krish mentioned these JSP includes don't undergo servlet filter operation.
Their main purpose is to be used whenever you have reusable JSPs, for instance for navigation or pagination.
Usually, they aren't exposed by the servlet container. Hence, they should live under WEB-INF.
You didn't disclose enough information about your application. But it seems that you are trying to route to different pages inside one JSP.
Consider that as a design flaw. Your view (the JSP) should just render the model data and your controller (HttpServlet or even better Spring MVC request handler) should decide whether JSP A or B should be taken for rendering.
If I'm wrong with my assumption - sorry for the noise.
If you are trying to show different content to the user after login you should consider implementing a custom AuthenticationSuccessHandler which redirects to different JSPs based on the roles attached to the principal.
If you are just want to show or hide page content based on user role, you should leverage Spring Security's Taglib:
Include the Spring Security Taglib artifact in your pom.xml (I take Maven for granted).
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-taglibs</artifactId>
<version>3.1.1.RELEASE</version>
</dependency>
Add the taglib to your JSP.
<%@ taglib prefix="security" uri="http://www.springframework.org/security/tags"%>
And surround include with authorize tag. Even better, you should move authorize into protected.jsp for better reusability.
<security:authorize ifAllGranted="ROLE_SUPERVISOR">
<jsp:include page="secure/protected.jsp" />
</security:authorize>
Upvotes: 2
Reputation: 8197
As you include the jsp page in your main.jsp , it doesnt undergo servlet filter operation. In otherwords , it doesnt reach server rather compiled and placed in your main page.
The concept of spring security is based on ServletFilter as you included page is not intercepted by spring security it doestnt prevent its access.
Hope this helps !!
Upvotes: 1
Related Questions
- How to use Spring Security to custom login page?
- How to configure Spring Security for a single page application?
- Spring Security secure custom pages
- Spring web security restrict only single page
- Register page with Spring Security
- How to secure selected pages in web application
- Spring security - allow navigation but protecting some pages
- Password protecting two web pages with Spring 3.1
- Creating secure pages in Spring
- Is it possible to secure an included jsp with spring-security?