Securing Page Content with Spring Roo
Prerequisites
- Roo 1.1.0 M2 or greater installed
- Maven 2.2.1 installed
Setup a Sample Project
To test out the Security features, create a simple Roo app, which can be done using Roo’s PetClinic application script, found here: <roo_install_dir>/samples/clinic.roo
To setup the PetClinic application from the command line:
mkdir clinicsecure cd clinicsecure roo script clinic.roo
This will launch Roo and run the script generating the project for you.
Installing Spring Security
Installing Spring Security in Spring Roo is a simple one line command at the Roo Shell:
roo& security setup
Security Setup creates a security context file applicationContext.xml in the src/main/resources/META-INF/spring directory, along with all the supporting files and dependencies.
Predefined Users & Roles
There are two users configured in this file by default with the passwords encrypted in secured hash 256 (SHA256) format:
- user: admin, password: admin, role: ROLE_ADMIN
- user: user, password: user, role: ROLE_USER
Testing Security Features
To test the security at this point, build and execute the PetClinic application:
mvn clean install tomcat:run
From our browser, we can navigate to http://localhost:8080/petclinic to see the main application page.
To test the security, navigate to http://localhost:8080/petclinic/choices. We now see the login page, where we can use either user above to test authentication.
Adding Security to a Page
To manage a page segment that only one with the “ROLE_ADMIN” role installed,,,
To protect content from being displayed to a user, we can go into any of the generated JSPX files and add the security tag and wrap content.
First, add the Security namespace to the page header:
<div xmlns:jsp="http://java.sun.com/JSP/Page" xmlns:menu="urn:jsptagdir:/WEB-INF/tags/menu" id="menu" version="2.0" xmlns:security="http://www.springframework.org/security/tags"/>
Second, wrap whatever content you would like to protect with:
<security:authorize ifAnyGranted="ROLE_ADMIN"> <!-- the content you want to only those in the admin role --> </security:authorize>
For example, go to the /petclinic/src/main/webapp/WEB-INF/views/menu.jspx page and add the page header (above). Then wrap the “vet” menu category as follows:
<security:authorize ifAnyGranted="ROLE_ADMIN">
<menu:category id="c_vet" ... >
<menu:item id="i_vet_new" ... />
<menu:item id="i_vet_list" ... />
</menu:category>
<security:authorize>
Now we can test it… rebuild and when you go to the main application page the Vets maintenance section is missing.
Next, navigate to http://localhost:8080/petclinic/choices, login as Admin and go to the home page.
Keep in mind this just protects the user from the visual aspect. In order to secure the user from accessing the Vets functionally, you will need to add the intercept-url to the applicationContext-security.xml file as follows:
<intercept-url pattern="/vets/**" access="hasRole('ROLE_ADMIN')" />
Hope this proves useful for you… send feedback, cash, checks, lottery tickets, Starbucks Gift cards…
Nice simple posting. I’m having fun with Roo (now my choice over Grails and Rails, as I’m a Java developer). I did notice one typo:
The final above should have the closing tag … or the application won’t work properly.
forgot the HTML tags would get “eaten”. For simplicity, the final
security:authorize
should be closed with
/security:authorize
Thanks Dave, I cleaned up two missing slashes…. Gordon