Monday, June 16, 2008

Integrating Spring Security with JSF/Facelets using acegi-jsf


Spring Security is the security framework which is a part of Spring framework technology stack. It is a mature, powerful and flexible security solution for enterprise applications. Earlier, it was widely known as Acegi Security and now it is called Spring Security. Recently I have been working on a product of mine and I currently use JSF/Facelets and Spring Webflow /Spring Security and JPA technologies to build the product. Spring webflow out of the box integrates with Spring Security and provides access to implicit expression language ( EL) variable called currentUser to get access to the authenticated principal name. I wanted more than this in other pages that are not part of Spring webflow related.

Authentication Tag Libraries

Spring Security out of the box provides the following tag support to get the authenticated principal in JSP fragments.

<security:authentication property="principal.username"/>

However, Spring Security does not provide any support of using similar tags in JSF/Facelets view technology. I did some research and found the following weblog

My big thanks to Çağatay Çivici who showed us a way to use "acegijsf" tag in JSF/Facelets. However, the website need some more fine grained details as to how to wire everything together to make use of his library. So it is my humble attempt at explaining as to how to use his library in a less invasive way. I hope this will help any novice JSF/Facelets developer to make use of tag support in JSF/Facelets view technology.

Detailed Steps

NOTE: The above said jar is customized to use Spring Security 2.0.2 instead of Acegi Security. I also added acegijsf.taglib.xml inside META-INF folder of the jar. The one you download from does not have any of these customizations.

  • Place the above said jar in WEB-INF/lib of your JSF/Facelets web application.
  • Please add the following xml fragments into your faces-config.xml located under WEB-INF of your web application.

Now, you have to add the following namespace to your facelet .XHTML
  • e.g. xmlns:acegijsf=""
  • Thats it. Now you can utilize the following tags inside your XHTML.
 <acegijsf:authorize ifAllGranted="ROLE_ADMIN">
Add the components that are only visible to the users that satisfy the requirements here.
The attribute names are same both in jsp tag and the jsf component. You just give a role list seperated with a comma(Whitespaces omitted). All of these attributes can be bound to a value using EL.

ifAllGranted = User must be in all of the roles
ifAnyGranted = User must be in any of the roles
ifNotGranted = None of the roles must be granted for the user

This component does not render the secured children components if the user does not satisfy the granting requirements given with the attributes.