After given a
demo to the customer, they wished to modify the specification so that
after login, the page always shows the name of the user logged in. Also
they would prefer if the navigation was customized to the type of user
that has logged in. e.g. standard users with ROLE_USER should not see
the link to the admin page on the common navigation.
The specification has been updated as follows:
User Story 7: Create common navigation that all secure pages will contain.
Note: There will be links to home, admin pages and a logout link.
Note: only admin users should see the admin link on the common navigation.
User Story 10: A common information bar should exist on all secure pages that displays whether the user is logged in or not.
The solution
To customize the common navigation per user role type and display
the logged in username, we are going to use spring security’s tag libs,
specifically the authorize and authentication tags.
Add spring security taglibs as dependency
Add spring-security-taglibs-2.0.4.jar to our WAR projects lib folder.
The implementation
The first step is to update our acceptance tests that verify behavior on the common navigation:
@Test
public void shouldNotBeAbleToSeeAdminLinkOnCommonNavigationWhenNotLoggedInAsStandardUser() {
driver.get("http://localhost:8080/springsecuritywebapp/home.htm");
login(driver);
// verify
assertThat(driver.getTitle(),
is("Home: Spring Security Web Application"));
try {
driver.findElement(By.linkText("Admin"));
fail("should not be able to see a link to admin page when logged in as standard user");
} catch (final NoSuchElementException e) {
assertNotNull(e);
}
}
@Test
public void shouldBeAbleToViewUsernameOfUserOnAdminPageWhenSuccessfullyAuthenticated() {
loginAsUser(driver, withAdminRole());
// state verification
assertThat(driver.getTitle(),
is("Admin: Spring Security Web Application"));
assertThat(driver.findElement(By.id("loginstatus")).getText(),
containsString("Logged in as: admin"));
}
@Test
public void shouldBeAbleToViewUsernameOfUserOnHomePageWhenSuccessfullyAuthenticated() {
login(driver);
// state verification
assertThat(driver.getTitle(),
is("Home: Spring Security Web Application"));
assertThat(driver.findElement(By.id("loginstatus")).getText(),
containsString("Logged in as: username"));
}
Next step is to create a userinfobar.jsp file that will be included in each secure page:
<span id="loginstatus">Logged in as: <security:authentication property="principal.username"/>
</span>
<br />
Things to note:
- we are using the authentication tag from spring security’s tag libs
(which will be included at top of each jsp that includes this file)
Next this should be included in the home.jsp and admin.jsp pages. Here is home.jsp:
<%@ page session="true"%>
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
<%@ taglib prefix="fmt" uri="http://java.sun.com/jsp/jstl/fmt" %>
<%@ taglib prefix='security' uri='http://www.springframework.org/security/tags' %>
<html>
<head>
<title>Home: Spring Security Web Application</title>
</head>
<body>
<%@ include file="/WEB-INF/jsp/navigation.jsp" %>
<%@ include file="/WEB-INF/jsp/userinfobar.jsp"%>
home page: only logged in users should see this page.
</body>
</html>
Things to note:
- The spring security tablib is included at top of page
- The userinfobar.jsp file is included so will display username of logged in users.
Build, deploy and run all acceptance tests.
Getting the code
The code for this part is tagged and available for viewing online at: http://code.google.com/p/spring-security-series/source/browse/#svn/tags/SpringSecuritySeriesWAR-Part8
SVN Url: https://spring-security-series.googlecode.com/svn/tags/SpringSecuritySeriesWAR-Part8