Table 15-2. Spring Security built-in algorithms for password encoding
| Implementation
class |
Hashing
mechanism |
Description | ||
| PlaintextPasswordEncoder | plaintext | It’s the plaintext implementation of PasswordEncoder and encodes the password as plaintext. | ||
| Md4PasswordEncoder | md4 | Use of MD4 hash algorithm. Not a very safe algorithm and it is recommended not to use it. | ||
| Md5PasswordEncoder | md5 | It’s an MD5 implementation of PasswordEncoder. | ||
| ShaPasswordEncoder | sha and sha-256 | As SHA is a one-way hash, the salt can contain any characters. The default strength for the SHA encoding is SHA-1. If you wish to use higher strengths use the argumented constructor. | ||
| LdapShaPasswordEncoder | sha and ssha | A version of
|
Spring Security Tag Libraries
To use Spring Security in your view layer, do the steps as summarized below:
Step 1: Tag Library declaration – The Spring Security tag library can be declared as shown below in Listing 15-25 in the case of JSP file (Spring MVC and Struts) and Listing 15-26 in the case of XHTML file (JSF).
Listing 15-25. Declaring Spring Security tag library in JSP file
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
<%@ taglib prefix="security" uri="http://www.springframework.org/security/tags" %> Listing 15-26. Declaring Spring Security tag library in XHTML file <ui:composition xmlns="http://www.w3.org/1999/xhtml" xmlns:ui="http://java.sun.com/jsf/facelets" xmlns:h="http://java.sun.com/jsf/html" xmlns:f="http://java.sun.com/jsf/core" xmlns:a4j="http://richfaces.org/a4j" xmlns:rich="http://richfaces.org/rich" xmlns:sec="http://www.springframework.org/security/tags"> … </ui:composition> |
Step 2: Use the tags in your JSP page – Once you declare the tag library in your view layer as in Step 1 above, you can now use the prefix to do the appropriate operation in various tags as shown below:
- Tag “authorize” – the various attributes which can be used in this tag is as summarized below.
- Tag “authorize” with property “ifAllGranted – Show the enclosing content if all the roles are assigned to the accessing principal. Listing 15-27 shows a sample of using “ifAllGranted” attribute in “authorize” tag in the view layer.
Listing 15-27. Usage of “ifAllGranted” attribute in “authorize” tag in the view layer
|
1 2 3 4 5 |
<sec:authorize ifAllGranted="ROLE_FOO,ROLE_BAR"> Content shown to users having roles ROLE_FOO & ROLE_BAR </sec:authorize> |
- Tag “authorize” with property “ifNotGranted” – Show the enclosing content if the user doesn’t have the roles to the accessing principal. Listing 15-28 shows a sample of using “ifNotGranted” attribute in “authorize” tag in the view layer.
Listing 15-28. Usage of “ifAllGranted” attribute in “authorize” tag in the view layer
|
1 2 3 4 5 |
<sec:authorize ifNotGranted="ROLE_FOO, ROLE_BAR"> Content shown to users not having roles ROLE_FOO & ROLE_BAR </sec:authorize> |
- Tag “authorize” with property “ifAnyGranted” – Show the enclosing content if any of the role is there for the accessing principal. Listing 15-29 shows a sample of using “ifAnyGranted” attribute in “authorize” tag in the view layer.
Listing 15-29. Usage of “ifAllGranted” attribute in “authorize” tag in the view layer
|
1 2 3 4 5 |
<sec:authorize ifAnyGranted="ROLE_FOO, ROLE_BAR"> Content shown to users having either ROLE_FOO OR ROLE_BAR </sec:authorize> |
- Tag “authentication” – If you would like to display the properties of the Authentication object you can use the tag library as shown in Listing 15- 30 below.
Listing 15-30. Displaying authentication object using Spring Security tag libraries
|
1 |
You are logged in as : <sec:authentication property="principal.username"/> |
In addition to “principal” there are other user authentication details which can be used in your view layer to show various details as detailed in Table 15-3 below.
Table 15-3. User authentication details available in the “authentication” tag to be displayed
| Property | Description |
| principal | The authenticated user’s principal. |
| credentials | Gives the credential which was used to authenticate the user into the application. The user entered password. |
| authorities | The privileges given to the authenticated user. It consists of collection of “GrantedAuthority” objects. |
| details | All the additional information related to the authentication like session ID, logged in users IP address etc. is kept in this tag. |
- Tag “accesscontrollist” – if the currently authenticated user has one of the given permissions, the user will be shown the enclosing content in the tag. Listing 15-31 below shows a sample usage of “accesscontrollist” tag in the JSP file.
Listing 15-31. Usage of tag “accesscontrollist” in JSP file
|
1 2 3 4 5 6 7 8 9 |
… <sec:accesscontrollist hasPermission="1,2" domainObject="object"> This section will be shown if the principal accessing the JSP page has either of the premissions represented by values "1" or "2" on the given "object". </sec:accesscontrollist> … |
Page Visitors: 10629
Tomcy John
Latest posts by Tomcy John (see all)
- A Guide to Continuous Improvement for Architects - February 2, 2023
- Cloud-first Architecture Strategy - January 26, 2023
- Architecture Strategy and how to create One - January 24, 2023