I want to display some content conditionally based on Roles using Spring Security JSP taglibs. But in Spring Security 3.1.x is checking for only one role.
I can use but ifAllGranted is deprecated.
Any help?
This question is related to
java
spring
spring-mvc
spring-security
@dimas's answer is not logically consistent with your question; ifAllGranted
cannot be directly replaced with hasAnyRole
.
From the Spring Security 3—>4 migration guide:
Old:
<sec:authorize ifAllGranted="ROLE_ADMIN,ROLE_USER">
<p>Must have ROLE_ADMIN and ROLE_USER</p>
</sec:authorize>
New (SPeL):
<sec:authorize access="hasRole('ROLE_ADMIN') and hasRole('ROLE_USER')">
<p>Must have ROLE_ADMIN and ROLE_USER</p>
</sec:authorize>
Replacing ifAllGranted
directly with hasAnyRole
will cause spring to evaluate the statement using an OR
instead of an AND
. That is, hasAnyRole
will return true
if the authenticated principal contains at least one of the specified roles, whereas Spring's (now deprecated as of Spring Security 4) ifAllGranted
method only returned true
if the authenticated principal contained all of the specified roles.
TL;DR: To replicate the behavior of ifAllGranted
using Spring Security Taglib's new authentication Expression Language, the hasRole('ROLE_1') and hasRole('ROLE_2')
pattern needs to be used.
you can try in this way if you are using thymeleaf
sec:authorize="hasAnyRole(T(com.orsbv.hcs.model.SystemRole).ADMIN.getName(),
T(com.orsbv.hcs.model.SystemRole).SUPER_USER.getName(),'ROLE_MANAGEMENT')"
this will return true if the user has the mentioned roles,false otherwise.
Please note you have to use sec tag in your html declaration tag like this
<html xmlns:sec="http://www.thymeleaf.org/thymeleaf-extras-springsecurity4">
i used hasAnyRole('ROLE_ADMIN','ROLE_USER')
but i was getting bean creation below error
Error creating bean with name 'org.springframework.security.web.access.intercept.FilterSecurityInterceptor#0': Cannot create inner bean '(inner bean)' of type [org.springframework.security.web.access.expression.ExpressionBasedFilterInvocationSecurityMetadataSource] while setting bean property 'securityMetadataSource'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name '(inner bean)#2': Instantiation of bean failed; nested exception is org.springframework.beans.BeanInstantiationException: Could not instantiate bean class [org.springframework.security.web.access.expression.ExpressionBasedFilterInvocationSecurityMetadataSource]: Constructor threw exception; nested exception is java.lang.IllegalArgumentException: Expected a single expression attribute for [/user/*]
then i tried
access="hasRole('ROLE_ADMIN') or hasRole('ROLE_USER')"
and it's working fine for me.
as one of my user is admin as well as user.
for this you need to add use-expressions="true" auto-config="true"
followed by http tag
<http use-expressions="true" auto-config="true" >.....</http>
Within Spring Boot 2.4 it is
sec:authorize="hasAnyRole('ROLE_ADMIN')
Ensure that you have
thymeleaf-extras-springsecurity5
in your dependencies. Also make sure that you include the namespace
xmlns:sec="http://www.thymeleaf.org/extras/spring-security"
in your html...
Source: Stackoverflow.com