Is it possible to secure an included jsp with spring-security?

Question

I got a jsp which imports a jsp file. Is it possible to secure the import with a spring-security configuration?

For example i want to use this line of code:

<c:import url="jsp/admin/add_user.jsp" />

But if the user is not logged in as admin than this import should not work because of security reasons. I secured the admin folder with this line

<intercept-url pattern="/jsp/admin/**" access="hasRole('ROLE_ADMIN')" />

But when import the add_user jsp in a jsp file where no admin rights are needed than it still works if the user is logged in as an user without the admin role. I prefer not to use tags around the import if this is not necessary.

Answer 1

Spring Security use a Servlet Filter to ensure secure mechanisms on resources the user is accessing.

When you import a JSP the Servlet Filter can't intercept the call because the resource is loaded internally without passing thru a Servlet connection.

A possible solution is to add logic inside the jsp page that prevent importing of the secure resource if the user don't have necessaries credentials.

I'm not a JSP expert, but I don't see how you can add the necessary logic without adding tag around the import.

Answer 2

You can achieve this by forcing the request to go outside the container. e.g.

<c:import url="http://localhost/jsp/admin/add_user.jsp" />

However I wouldn't really recommend this. One reason is that in many containers if a 403 is returned from the imported url it will propogate to the parent page and return a 403 for the entire page.

So wrapping the import in some spring security tags may be a better way to go.

Although I'd also consider simply having two separate jsp's - one for admin users and one for non-admin users. If you break down the page into components almost no duplication of content should be required.