StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

POSpring security user role and access jsp
text
Body
copied!<p>I am new to spring security. I have two user roles like Admin and Common Users. I want to access some jsp only access by the admin users, but the problem is once a user is log out he/she still can access the jsp page which i put restricted in spring security config.</p> <p>Let me know what i am doing here is the correct or not?</p> <p>Thank you</p> <pre><code>spring_security.xml <beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd"> <http auto-config="true"> <intercept-url pattern="/admin/**" access="ROLE_ADMIN" /> <intercept-url pattern="/user/**" access="ROLE_USER" /> <form-login login-page="/login" default-target-url="/welcome" authentication-failure-url="/loginfailed" /> <logout logout-success-url="/logout" /> </http> <beans:bean id="customUserDetailsService" class="com.nikunj.javabrains.services.CustomUserDetailsService"></beans:bean> <authentication-manager> <authentication-provider user-service-ref="customUserDetailsService"> </authentication-provider> </authentication-manager> </code></pre> <p>//------------------------------ Controller</p> <pre><code>package com.nikunj.javabrains.controller; import java.security.Principal; import javax.servlet.http.HttpServletRequest; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.security.access.annotation.Secured; import org.springframework.stereotype.Controller; import org.springframework.ui.ModelMap; import org.springframework.validation.BindingResult; import org.springframework.web.bind.annotation.ModelAttribute; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMethod; import com.nikunj.javabrains.domain.User; import com.nikunj.javabrains.services.UserService; @Controller public class UserController { @Autowired private UserService userService; @RequestMapping(value = "/welcome", method = RequestMethod.GET) public String printWelcome(ModelMap model, Principal principal, HttpServletRequest request) { String name = principal.getName(); // get logged in username model.addAttribute("username", name); model.addAttribute("message", "Spring Security login + database example"); if (request.isUserInRole("ROLE_ADMIN")) { return "admin_page"; } return "common_page"; } @RequestMapping(value = "/login", method = RequestMethod.GET) public String login(ModelMap model) { return "login"; } @RequestMapping(value = "/loginfailed", method = RequestMethod.GET) public String loginerror(ModelMap model) { model.addAttribute("error", "true"); return "login"; } @RequestMapping(value = "/logout", method = RequestMethod.GET) public String logout(ModelMap model) { return "login"; } @RequestMapping("/regiPage") public String regiPage(@ModelAttribute("user") User user, BindingResult result) { return "registration"; } @RequestMapping(value = "/saveUser", method = RequestMethod.POST) public String saveUserData(@ModelAttribute("user") User user, BindingResult result) { userService.addUser(user); return "login"; } } </beans:beans> </code></pre> <p>//------------------------</p> <p>CustomServiceClass</p> <pre><code>import com.nikunj.javabrains.dao.UserDao; import java.util.ArrayList; import java.util.Collection; import java.util.List; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.authority.SimpleGrantedAuthority; import org.springframework.security.core.userdetails.User; import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.core.userdetails.UsernameNotFoundException; import org.springframework.stereotype.Service; import org.springframework.transaction.annotation.Transactional; @Service @Transactional(readOnly=true) public class CustomUserDetailsService implements UserDetailsService { @Autowired private UserDao userDAO; public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException { com.nikunj.javabrains.domain.User domainUser = userDAO.getUser(username); boolean enabled = true; boolean accountNonExpired = true; boolean credentialsNonExpired = true; boolean accountNonLocked = true; System.out.println("*************************************"); System.out.println(domainUser.getId()); return new User( domainUser.getUsername(), domainUser.getPassword(), enabled, accountNonExpired, credentialsNonExpired, accountNonLocked, getAuthorities(domainUser.getId()) ); } public Collection<? extends GrantedAuthority> getAuthorities(Integer role) { List<GrantedAuthority> authList = getGrantedAuthorities(getRoles(role)); return authList; } public List<String> getRoles(Integer role) { List<String> roles = new ArrayList<String>(); if (role.intValue() == 1) { roles.add("ROLE_ADMIN"); } else { roles.add("ROLE_USER"); } return roles; } public static List<GrantedAuthority> getGrantedAuthorities(List<String> roles) { List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>(); for (String role : roles) { authorities.add(new SimpleGrantedAuthority(role)); } return authorities; } } </code></pre> <p>//---------------------------</p> <pre><code>@Controller public class AdminController { @Autowired private UserService userService; @RequestMapping(value = "/admininput", method = RequestMethod.GET) public String login(ModelMap model) { System.out.println("*************************"); return "admininputpage"; } } </code></pre>

Querying!

Guidance

An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload