Inferring Authentication Roles on client side with Spring Security

[kaykay]

I am using Spring 2.5 , Spring Security 2.0.4 framework along with GWT .

After setting all the appropriate security filters - I was able to complete a JdbcDao based Authentication from the database successfully.

For a given page - say , landingpage.jsp I want the display different content depending on the different roles , say admin and user.

I have designed landing_admin.jsp , landing_user.jsp separately for the same.

From a given page - say landing_default.jsp (after logging in) - I need the code fragment that can automatically redirect to landing_admin.jsp or landing_user.jsp depending on the role of authentication (ROLE_ADMIN or ROLE_USER etc).

How do I get to access the authentication roles on the client side for a Spring Security configuration. Thanks.

[kaykay]

Ok - I am looking at the petclinic example for the above mentioned problem -

http://static.springframework.org/sp...-tutorial.html .

I am using the jsp tag library in my application -

My jsp page (after login redirect ) looks as follows.

<%@ taglib prefix="security"
uri="http://www.springframework.org/security/tags"%>
<html>
<body>

<security:authorize ifAllGranted="ROLE_ADMIN">I am an Admin</security:authorize>
<security:authorize ifAnyGranted="ROLE_USER">I am an User</security:authorize>
..
...
</body></html>

I added jstl-1.2.0.jar in WEB-INF/lib of the application to be deployed.

When I try to visit the page - I am getting the following exception:


org.apache.jasper.JasperException: The absolute uri: http://www.springframework.org/security/tags cannot be resolved in either web.xml or the jar files deployed with this application
org.apache.jasper.compiler.DefaultErrorHandler.jsp Error(DefaultErrorHandler.java:51)
org.apache.jasper.compiler.ErrorDispatcher.dispatc h(ErrorDispatcher.java:409)
org.apache.jasper.compiler.ErrorDispatcher.jspErro r(ErrorDispatcher.java:116)


Any idea what jar needs to be packaged for the identification of the URI.

My ivy.xml looks as follows.


<dependency org="org.springframework" name="org.springframework.spring-library"
rev="2.5.6.A" conf="compile->runtime" />
<dependency org="org.springframework.security" name="org.springframework.security"
rev="2.0.4.A" conf="compile->runtime" />
<dependency org="org.springframework.security" name="org.springframework.security.annotation"
rev="2.0.4.A" />
<dependency org="org.aspectj" name="com.springsource.org.aspectj.runtime"
rev="1.6.2.RELEASE" />

Is there any other dependency that needs to be added.

[kaykay]

Ok - Adding spring security taglibs fixed the error.


<dependency org="org.springframework.security" name="org.springframework.security.taglibs"
rev="2.0.4.A" />

[mahamad]

Hi kaykay,

I am currently using spring security and gwt and am attempting to integrate authorization on the client-side and I was wondering if you could help me.

I have successfully secured all the methods on the server-side, but my question is very similar to what you were asking. How do I make the pages look different based on the roles that a user has. So pages look slightly different based on the user list of roles.

What I had in mind at the moment, is to get the client to load up all of the privileges of the user on logging into the system. Then whenever a widget wants to load up another one, it first goes through a Controller which is responsible for checking roles and authorization.

I know the client-side cannot be propery secured, but it's more to reorganise the front-end for users to look correct. The actual authorisation of roles is already happening on the server-side.

Do you have any suggestions of frameworks which would help with this rather than hard-coding all the roles to the client-side?

Any help would be much appreciated.

Mahamad