Spring Security Tag Library

In this article, we will discuss the built-in tags library. The Spring Security provides a built-in tag library that contains several tags for managing JSP page content and helps for accessing security information and applying security constraints on the JSP page. For example, if we want to show a section of the JSP to a normal User and some other section to the admin user then this library helps more.

To add this library to our project, we need to follow these steps

  • Add Dependencies

  • Declare Tag Library

  • Use Tags

Add Dependencies

We should add these dependencies to the pom.xml file of the spring security project. This is a maven project and you can get the latest from the official maven site as well.


Declaring Tag Library

After adding the above dependency, we must include this at the top of the JSP page. It will make available all the tags on this page. It is similar to the import statement in Java that makes accessible all the classes of the imported package.

<%@ taglib prefix="security" uri="http://www.springframework.org/security/tags" %>

Verify Dependencies are present in your Project

After adding dependencies in the pom.xml file, first, update your project, and then you can verify that all tag-lib JARs are available in the library->maven folder.

Use Tags in the JSP Page

After declaring tag-lib at the top of the JSP page, we can use its tags. It provides several tags such as

  • Authorize Tag

  • Authentication Tag

  • Accesscontrollist tag

  • The csrfInput Tag

  • The csrfMetaTags Tag

Authorize Tag

Spring uses this tag to check whether the content should be shown or not based on user authorization. For example, an admin user can see only the content which is enclosed within the authorize tag having the role admin. This content section will not be visible for non-admin users. It uses various attributes such as:

Authorize Tag Attributes

Attribute Name Description
url It is used to specify the URL to render the user if the user is granted access to this URL.
method It is used to specify the HTTP method either GET or POST
var It is used to declare a page scope variable.
access It is used to set access

Authorize Tag Example

We can use this tag anywhere in our JSP page as we did here.

<security:authorize access="hasRole('admin')">
    <p>This content section is visible only for ADMIN</p>

Authentication Tag

We can use this tag to access the current authentication object stored in the security context. It helps to get the property of an object in our JSP file. For example, if we have an object of student and want to get its property like username then we use it as

<security:authentication property="principal.username" />

It will render the username of the current student.

Accesscontrollist Tag

This tag is used to check a comma-separated list of required permissions. If the user has all these permissions listed in this tag, then the tag body will be evaluated else execution will be skipped. We can use this tag only if Spring Security’s ACL(Access Control List) module is activated. This tag has the following attributes.

Attribute Name Description
hasPermission It is used to specify a list of permission to be checked against the domain object.
domainObject It is used to specify an object for which permissions are checked.
var It is used to declare a page scope variable.

CsrfInput Tag

This tag is used to insert a hidden form field that holds the CSRF protection tokens. It is not visible to the browser but contains the tokens. Although if we use the spring's form tag library like<form:form> then we don't need to add this if we use normal HTML form <form> then we need to put this in our form.

This tag inserts tokens if CSRF protection is enabled otherwise this tag does nothing.

CsrfInput Tag Example

<form action="${pageContext.request.contextPath}/authenticateTheUser" method="post">
    <sec:csrfInput />
    <input type="text" name="username" />

CsrfMetaTags Tag

If CSRF protection is enabled, this tag inserts meta tags containing the CSRF protection token form field and header names and CSRF protection token value. These meta tags are useful for employing CSRF protection within JavaScript in your applications.

We should place this tag into the HTML head tag. It helps to get the form field name, header name, and token value easily by using JavaScript. See the example below.

CsrfMetaTags Tag Example

<security:csrfMetaTags />
<script type="text/javascript" language="javascript">
    var csrfParameter = $("meta[name='_csrf_parameter']").attr("content");
    var csrfHeader = $("meta[name='_csrf_header']").attr("content");
    var csrfToken = $("meta[name='_csrf']").attr("content");

For example, you can refer to our existing articles: article 1 and article 2.