Simple web application with Spring Security: Part 8

After given a demo to the customer, they wished to modify the specification so that after login, the page always shows the name of the user logged in. Also they would prefer if the navigation was customized to the type of user that has logged in. e.g. standard users with ROLE_USER should not see the link to the admin page on the common navigation.

The specification has been updated as follows:

User Story 7: Create common navigation that all secure pages will contain.
Note: There will be links to home, admin pages and a logout link.
Note: only admin users should see the admin link on the common navigation.

User Story 10: A common information bar should exist on all secure pages that displays whether the user is logged in or not.

The solution

To customize the common navigation per user role type and display the logged in username, we are going to use spring security’s tag libs, specifically the authorize and authentication tags.

Add spring security taglibs as dependency

Add spring-security-taglibs-2.0.4.jar to our WAR projects lib folder.

The implementation

The first step is to update our acceptance tests that verify behavior on the common navigation:

@Test
    public void shouldNotBeAbleToSeeAdminLinkOnCommonNavigationWhenNotLoggedInAsStandardUser() {

        driver.get("http://localhost:8080/springsecuritywebapp/home.htm");
        login(driver);

        // verify
        assertThat(driver.getTitle(),
                is("Home: Spring Security Web Application"));

        try {
            driver.findElement(By.linkText("Admin"));
            fail("should not be able to see a link to admin page when logged in as standard user");
        } catch (final NoSuchElementException e) {
            assertNotNull(e);
        }

}

@Test
    public void shouldBeAbleToViewUsernameOfUserOnAdminPageWhenSuccessfullyAuthenticated() {
        loginAsUser(driver, withAdminRole());
        
        // state verification
        assertThat(driver.getTitle(),
                is("Admin: Spring Security Web Application"));
        assertThat(driver.findElement(By.id("loginstatus")).getText(),
                containsString("Logged in as: admin"));
        
    }
    
    @Test
    public void shouldBeAbleToViewUsernameOfUserOnHomePageWhenSuccessfullyAuthenticated() {
        login(driver);
        
        // state verification
        assertThat(driver.getTitle(),
                is("Home: Spring Security Web Application"));
        assertThat(driver.findElement(By.id("loginstatus")).getText(),
                containsString("Logged in as: username"));
        
}

Next step is to create a userinfobar.jsp file that will be included in each secure page:

<span id="loginstatus">Logged in as: <security:authentication property="principal.username"/>
</span>

<br />

Things to note:

  1. we are using the authentication tag from spring security’s tag libs (which will be included at top of each jsp that includes this file)

Next this should be included in the home.jsp and admin.jsp pages. Here is home.jsp:

<%@ page session="true"%>
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
<%@ taglib prefix="fmt" uri="http://java.sun.com/jsp/jstl/fmt" %>
<%@ taglib prefix='security' uri='http://www.springframework.org/security/tags' %>
<html>

<head>
<title>Home: Spring Security Web Application</title>

</head>

<body>

<%@ include file="/WEB-INF/jsp/navigation.jsp" %>
<%@ include file="/WEB-INF/jsp/userinfobar.jsp"%>

home page: only logged in users should see this page.

</body>

</html>

Things to note:

  1. The spring security tablib is included at top of page
  2. The userinfobar.jsp file is included so will display username of logged in users.

Build, deploy and run all acceptance tests.

Getting the code

The code for this part is tagged and available for viewing online at: http://code.google.com/p/spring-security-series/source/browse/#svn/tags/SpringSecuritySeriesWAR-Part8

SVN Url: https://spring-security-series.googlecode.com/svn/tags/SpringSecuritySeriesWAR-Part8

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: