Introduction to Spring Security Taglibs – Spring安全标签的介绍

最后修改: 2018年 9月 4日

中文/混合/英文(键盘快捷键:t)

1. Overview

1.概述

In this tutorial, we’ll take a look at Spring Security Taglibs, which provides basic support for accessing security information and applying security constraints in JSPs.

在本教程中,我们将看看Spring Security Taglibs,它为在JSP中访问安全信息和应用安全约束提供了基本支持。

2. Maven Dependencies

2.Maven的依赖性

First of all, let’s add the spring-security-taglibs dependency to our pom.xml:

首先,让我们把spring-security-taglibs依赖性添加到我们的pom.xml

<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-taglibs</artifactId>
    <version>5.2.2.RELEASE</version>
</dependency>

3. Declaring the Taglibs

3.声明标签

Now, before we can use the tags, we need to import the taglib at the top of our JSP file:

现在,在我们使用标签之前,我们需要在JSP文件的顶部导入taglib。

<%@ taglib prefix="sec" uri="http://www.springframework.org/security/tags" %>

After adding this, we’ll be able to specify Spring Security’s tags with the sec prefix.

添加之后,我们就可以用sec前缀来指定Spring Security的标签。

4. The authorize Tag

4.授权标签

4.1. access Expressions

4.1.access表达式

In our applications, we might have information which should be shown only for certain roles or users.

在我们的应用程序中,我们可能有一些信息应该只显示给某些角色或用户。

When this is the case, we can use the authorize tag:

在这种情况下,我们可以使用authorize标签。

<sec:authorize access="!isAuthenticated()">
  Login
</sec:authorize>
<sec:authorize access="isAuthenticated()">
  Logout
</sec:authorize>

Furthermore, we can check if an authenticated user has specific roles:

此外,我们还可以检查一个被认证的用户是否有特定的角色。

<sec:authorize access="hasRole('ADMIN')">
    Manage Users
</sec:authorize>

And we can use any Spring Security expression as our value for access:

而且我们可以使用任何Spring Security表达式作为我们的access值。

  • hasAnyRole(‘ADMIN’,’USER’) returns true if the current user has any of the listed roles
  • isAnonymous() returns true if the current principal is an anonymous user
  • isRememberMe() returns true if the current principal is a remember-me user
  • isFullyAuthenticated() returns true if the user is authenticated and is neither anonymous nor a remember-me user

4.2. url

4.2.url

Other than that, we can check for users who are authorized to send requests to the certain URLs:

除此以外,我们可以检查那些被授权向某些URL发送请求的用户。

<sec:authorize url="/userManagement">
    <a href="/userManagement">Manage Users</a>
</sec:authorize>

4.3. Debugging

4.3.调试

There may be cases where we want more control over the UI, for example in testing scenarios. Instead of having Spring Security skip rendering these unauthorized sections, we can set spring.security.disableUISecurity=true in, say, our application.properties file.

在某些情况下,我们可能希望对用户界面有更多的控制,例如在测试场景中。我们可以在application.properties文件中设置spring.security.disableUISecurity=true,而不是让Spring Security跳过渲染这些未授权部分。

When we do this, the authorize tag won’t hide its contents. Instead, it will wrap the content with <span class=”securityHiddenUI”>… </span> tags instead. Then, we can customize the rendering ourselves with some CSS.

当我们这样做时,authorize标签将不会隐藏其内容。相反,它将用<span class=”securityHiddenUI”>…</span>标签代替内容。然后,我们可以自己用一些CSS来定制渲染。

Remember though that hiding content via CSS isn’t secure! The user can simply view the source to see unauthorized content.

但请记住,通过CSS隐藏内容并不安全!用户可以简单地查看源文件,以看到未经授权的内容。用户可以简单地查看源代码,以看到未经授权的内容。

5. The authentication Tag

5.认证标签

At other times, we’ll want to display details about the logged in user, like saying something like “Welcome Back, Carol!” on the site.

在其他时候,我们会想显示关于登录用户的细节,比如在网站上说 “欢迎回来,卡罗尔!”这样的话。

For this, we use the authentication tag:

为此,我们使用认证标签。

<sec:authorize access="isAuthenticated()">
    Welcome Back, <sec:authentication property="name"/>
</sec:authorize>

6. The csrfInput Tag

6.csrfInput标签

Hopefully, we have Spring Security’s CSRF defense enabled in our app!

希望我们的应用程序中已经启用了Spring Security的CSRF防御功能。

If we do, then Spring Security already inserts a CSRF hidden form input inside <form:form> tags for us.

如果我们这样做,那么Spring Security已经为我们在<form:form>标签内插入了一个CSRF隐藏表单输入。

But in case we want to use <form> instead, we can manually indicate where Spring Security should place this hidden input field using csrfInput:

但如果我们想使用<form>代替,我们可以使用csrfInput手动指示Spring Security应该把这个隐藏的输入字段放在哪里:

<form method="post" action="/do/something">
    <sec:csrfInput />
    Text Field:<br />
    <input type="text" name="textField" />
</form>

If CSRF protection is not enabled, this tag outputs nothing.

如果没有启用CSRF保护,此标签不输出任何信息。

7. The csrfMetaTags Tag

7、csrfMetaTags标签

Or, if we’re wanting to access the CSRF token in Javascript, we’ll probably want to insert the token as a meta tag.

或者,如果我们想在Javascript中访问CSRF令牌,我们可能想把令牌作为一个元标签插入。

We can do this with the csrfMetaTags tag:

我们可以用csrfMetaTags标签来做这个。

<html>
    <head>
        <title>JavaScript with CSRF Protection</title>
        <sec:csrfMetaTags />
        <script type="text/javascript" language="javascript">
            var csrfParameter = $("meta[name='_csrf_parameter']").attr("content");
            var csrfHeader = $("meta[name='_csrf_header']").attr("content");
            var csrfToken = $("meta[name='_csrf']").attr("content");
        </script>
    </head>
    <body>
    ...
    </body>
</html>

Again, if CSRF protection isn’t enabled, this tag won’t output anything.

同样,如果没有启用CSRF保护,这个标签将不会输出任何东西。

8. Conclusion

8.结论

In this quick article, we focused on some common Spring Security taglib use-cases.

在这篇快速的文章中,我们着重介绍了一些常见的Spring Security taglib的使用情况。

And, as we learned, they are very useful for rendering authentication and authorization-aware JSP content.

而且,正如我们所了解的,它们对于渲染认证和授权感知的JSP内容非常有用。

All examples, as always, can be found over on Github.

像往常一样,所有的例子都可以在Github上找到超过