2

Assuming I have a main.jsp which include another protected page

<%
RequestDispatcher rd = request.getRequestDispatcher("secure/protected.jsp");
rd.include(request, response);
%>


<http auto-config="true" once-per-request="true">
        <intercept-url pattern="/secure/**" access="ROLE_SUPERVISOR" />
....
</http>

<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
    <dispatcher>REQUEST</dispatcher>
    <dispatcher>INCLUDE</dispatcher>
    <dispatcher>FORWARD</dispatcher>
</filter-mapping>

Currently, what I found are:

  • Spring security filter is actually invoked.
  • protected.jsp is still displayed in main.jsp. (but I expect protected.jsp will be blocked by spring security)

I have read related discussions: Spring Security Allows Unauthorized User Access to Restricted URL from a Forward

is it possible to secure an included jsp? If not, why? I guess reason is when we use request dispatcher, we still pass original request, so spring security filter only knows original request path (main.jsp) and don't know target included path (protectected.jsp). Therefore, it doesn't block the inclusion of protectected.jsp

but it doesn't work. I use Spring security 3.1.2.

Community
  • 1
  • 1
Hawk
  • 897
  • 7
  • 14

2 Answers2

2

Including a JSP basically means inlining the content of another JSP into the current output (html) document. As san-krish mentioned these JSP includes don't undergo servlet filter operation.

Their main purpose is to be used whenever you have reusable JSPs, for instance for navigation or pagination. Usually, they aren't exposed by the servlet container. Hence, they should live under WEB-INF.

You didn't disclose enough information about your application. But it seems that you are trying to route to different pages inside one JSP.

Consider that as a design flaw. Your view (the JSP) should just render the model data and your controller (HttpServlet or even better Spring MVC request handler) should decide whether JSP A or B should be taken for rendering.

If I'm wrong with my assumption - sorry for the noise.

If you are trying to show different content to the user after login you should consider implementing a custom AuthenticationSuccessHandler which redirects to different JSPs based on the roles attached to the principal.

If you are just want to show or hide page content based on user role, you should leverage Spring Security's Taglib:

Include the Spring Security Taglib artifact in your pom.xml (I take Maven for granted).

<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-taglibs</artifactId>
    <version>3.1.1.RELEASE</version>
</dependency>

Add the taglib to your JSP.

<%@ taglib prefix="security" uri="http://www.springframework.org/security/tags"%>

And surround include with authorize tag. Even better, you should move authorize into protected.jsp for better reusability.

<security:authorize ifAllGranted="ROLE_SUPERVISOR">
    <jsp:include page="secure/protected.jsp" />
</security:authorize>
ksokol
  • 8,035
  • 3
  • 43
  • 56
  • Thanks. I agree that including a protected page might be a little bit strange in perspective of use case. Spring's authorize tag is also the proper solution I found. – Hawk Oct 01 '14 at 06:36
1

As you include the jsp page in your main.jsp , it doesnt undergo servlet filter operation. In otherwords , it doesnt reach server rather compiled and placed in your main page.

The concept of spring security is based on ServletFilter as you included page is not intercepted by spring security it doestnt prevent its access.

Hope this helps !!

Santhosh
  • 8,181
  • 4
  • 29
  • 56