Spring Book – Chapter 15 – Web Application Security with Spring

Table 15-2. Spring Security built-in algorithms for password encoding

Implementation 

class

Hashing 

mechanism

Description
PlaintextPasswordEncoder plaintext It’s the plaintext implementation of PasswordEncoder and encodes the password as plaintext.
Md4PasswordEncoder md4 Use of MD4 hash algorithm. Not a very safe algorithm and it is recommended not to use it.
Md5PasswordEncoder md5 It’s an MD5 implementation of PasswordEncoder.
ShaPasswordEncoder sha and sha-256 As SHA is a one-way hash, the salt can contain any characters. The default strength for the SHA encoding is SHA-1. If you wish to use higher strengths use the argumented constructor.
LdapShaPasswordEncoder sha and ssha A version of 

 which supports Ldap SHA and SSHA (salted-SHA) encodings. The values are base-64 encoded and have the label “{SHA}” (or “{SSHA}”) prepended to the encoded hash.

Spring Security Tag Libraries

To use Spring Security in your view layer, do the steps as summarized below:

Step 1: Tag Library declaration – The Spring Security tag library can be declared as shown below in Listing 15-25 in the case of JSP file (Spring MVC and Struts) and Listing 15-26 in the case of XHTML file (JSF).

Listing 15-25. Declaring Spring Security tag library in JSP file

Step 2: Use the tags in your JSP page – Once you declare the tag library in your view layer as in Step 1 above, you can now use the prefix to do the appropriate operation in various tags as shown below:

  • Tag “authorize” – the various attributes which can be used in this tag is as summarized below.
    • Tag “authorize” with property “ifAllGranted – Show the enclosing content if all the roles are assigned to the accessing principal. Listing 15-27 shows a sample of using “ifAllGranted” attribute in “authorize” tag in the view layer.

Listing 15-27. Usage of “ifAllGranted” attribute in “authorize” tag in the view layer

  • Tag “authorize” with property “ifNotGranted” – Show the enclosing content if the user doesn’t have the roles to the accessing principal. Listing 15-28 shows a sample of using “ifNotGranted” attribute in “authorize” tag in the view layer.

Listing 15-28. Usage of “ifAllGranted” attribute in “authorize” tag in the view layer

  • Tag “authorize” with property “ifAnyGranted” – Show the enclosing content if any of the role is there for the accessing principal. Listing 15-29 shows a sample of using “ifAnyGranted” attribute in “authorize” tag in the view layer.

Listing 15-29. Usage of “ifAllGranted” attribute in “authorize” tag in the view layer

  • Tag “authentication” – If you would like to display the properties of the Authentication object you can use the tag library as shown in Listing 15- 30 below.

Listing 15-30. Displaying authentication object using Spring Security tag libraries

In addition to “principal” there are other user authentication details which can be used in your view layer to show various details as detailed in Table 15-3 below.

Table 15-3. User authentication details available in the “authentication” tag to be displayed

Property Description
principal The authenticated user’s principal.
credentials Gives the credential which was used to authenticate the user into the application. The user entered password.
authorities The privileges given to the authenticated user. It consists of collection of “GrantedAuthority” objects.
details All the additional information related to the authentication like session ID, logged in users IP address etc. is kept in this tag.
  • Tag “accesscontrollist” – if the currently authenticated user has one of the given permissions, the user will be shown the enclosing content in the tag. Listing 15-31 below shows a sample usage of “accesscontrollist” tag in the JSP file.

Listing 15-31. Usage of tag “accesscontrollist” in JSP file

Page Visitors: 7982

The following two tabs change content below.
Tomcy John

Tomcy John

Blogger & Author at javacodebook
He is an Enterprise Java Specialist holding a degree in Engineering (B-Tech) with over 10 years of experience in several industries. He's currently working as Principal Architect at Emirates Group IT since 2005. Prior to this he has worked with Oracle Corporation and Ernst & Young. His main specialization is on various web technologies and acts as chief mentor and Architect to facilitate incorporating Spring as Corporate Standard in the organization.
Tomcy John

Latest posts by Tomcy John (see all)

Leave a Reply

Your email address will not be published. Required fields are marked *