Introduction to Spring Security Taglibs – Spring安全标签的介绍

最后修改: 2018年 9月 4日

1. Overview


In this tutorial, we’ll take a look at Spring Security Taglibs, which provides basic support for accessing security information and applying security constraints in JSPs.

在本教程中,我们将看看Spring Security Taglibs,它为在JSP中访问安全信息和应用安全约束提供了基本支持。

2. Maven Dependencies


First of all, let’s add the spring-security-taglibs dependency to our pom.xml:



3. Declaring the Taglibs


Now, before we can use the tags, we need to import the taglib at the top of our JSP file:


<%@ taglib prefix="sec" uri="" %>

After adding this, we’ll be able to specify Spring Security’s tags with the sec prefix.

添加之后,我们就可以用sec前缀来指定Spring Security的标签。

4. The authorize Tag


4.1. access Expressions


In our applications, we might have information which should be shown only for certain roles or users.


When this is the case, we can use the authorize tag:


<sec:authorize access="!isAuthenticated()">
<sec:authorize access="isAuthenticated()">

Furthermore, we can check if an authenticated user has specific roles:


<sec:authorize access="hasRole('ADMIN')">
    Manage Users

And we can use any Spring Security expression as our value for access:

而且我们可以使用任何Spring Security表达式作为我们的access值。

  • hasAnyRole(‘ADMIN’,’USER’) returns true if the current user has any of the listed roles
  • isAnonymous() returns true if the current principal is an anonymous user
  • isRememberMe() returns true if the current principal is a remember-me user
  • isFullyAuthenticated() returns true if the user is authenticated and is neither anonymous nor a remember-me user

4.2. url


Other than that, we can check for users who are authorized to send requests to the certain URLs:


<sec:authorize url="/userManagement">
    <a href="/userManagement">Manage Users</a>

4.3. Debugging


There may be cases where we want more control over the UI, for example in testing scenarios. Instead of having Spring Security skip rendering these unauthorized sections, we can set in, say, our file.

在某些情况下,我们可能希望对用户界面有更多的控制,例如在测试场景中。我们可以在application.properties文件中设置,而不是让Spring Security跳过渲染这些未授权部分。

When we do this, the authorize tag won’t hide its contents. Instead, it will wrap the content with <span class=”securityHiddenUI”>… </span> tags instead. Then, we can customize the rendering ourselves with some CSS.

当我们这样做时,authorize标签将不会隐藏其内容。相反,它将用<span class=”securityHiddenUI”>…</span>标签代替内容。然后,我们可以自己用一些CSS来定制渲染。

Remember though that hiding content via CSS isn’t secure! The user can simply view the source to see unauthorized content.


5. The authentication Tag


At other times, we’ll want to display details about the logged in user, like saying something like “Welcome Back, Carol!” on the site.

在其他时候,我们会想显示关于登录用户的细节,比如在网站上说 “欢迎回来,卡罗尔!”这样的话。

For this, we use the authentication tag:


<sec:authorize access="isAuthenticated()">
    Welcome Back, <sec:authentication property="name"/>

6. The csrfInput Tag


Hopefully, we have Spring Security’s CSRF defense enabled in our app!

希望我们的应用程序中已经启用了Spring Security的CSRF防御功能。

If we do, then Spring Security already inserts a CSRF hidden form input inside <form:form> tags for us.

如果我们这样做,那么Spring Security已经为我们在<form:form>标签内插入了一个CSRF隐藏表单输入。

But in case we want to use <form> instead, we can manually indicate where Spring Security should place this hidden input field using csrfInput:

但如果我们想使用<form>代替,我们可以使用csrfInput手动指示Spring Security应该把这个隐藏的输入字段放在哪里:

<form method="post" action="/do/something">
    <sec:csrfInput />
    Text Field:<br />
    <input type="text" name="textField" />

If CSRF protection is not enabled, this tag outputs nothing.


7. The csrfMetaTags Tag


Or, if we’re wanting to access the CSRF token in Javascript, we’ll probably want to insert the token as a meta tag.


We can do this with the csrfMetaTags tag:


        <title>JavaScript with CSRF Protection</title>
        <sec:csrfMetaTags />
        <script type="text/javascript" language="javascript">
            var csrfParameter = $("meta[name='_csrf_parameter']").attr("content");
            var csrfHeader = $("meta[name='_csrf_header']").attr("content");
            var csrfToken = $("meta[name='_csrf']").attr("content");

Again, if CSRF protection isn’t enabled, this tag won’t output anything.


8. Conclusion


In this quick article, we focused on some common Spring Security taglib use-cases.

在这篇快速的文章中,我们着重介绍了一些常见的Spring Security taglib的使用情况。

And, as we learned, they are very useful for rendering authentication and authorization-aware JSP content.


All examples, as always, can be found over on Github.