Restricting Access by Role

You can use role-based customizations to control access to many user interface components, including menus, Java Server Pages, and web flows. This example shows how to control access to existing UI components; the same techniques work with custom components you create.

In this example scenario, suppose end users haven’t had training in creating reports with the Ad Hoc Editor, and you wish to hide it from users, but make it accessible to administrators. To hide access to the Ad Hoc Editor, you need to customize the UI in three ways:

Customize the Create menu to restrict access to Ad Hoc creation to administrators
Customize the JSP content on the home page to hide the Create Ad Hoc View button from non-administrative users.
Customize the Ad Hoc web flow to restrict access to administrators.

The following sections show how to perform each of these actions.

Be very careful when editing the JSP or XML files that define the UI. Simple typos or bugs such as unclosed tags can cause the server to appear in an incorrect state, or make it impossible to log in. After fixing the problem, you may need to restart the app server; reloading the web app doesn’t always resolve the issue.

Restricting a Menu Item by Role

1. Edit the file <js-webapp>/WEB-INF/actionModel-navigation.xml. The actionModel for Create > Ad Hoc View is near the end of the file.
<context name="main_create_mutton" test="isProVersion">
  <condition test="!banUserRole">
    <condition test="!isMainFeaturesDisabled">
      <selectAction labelKey="NAV_005_CREATE">
        <condition test="isAvailableProFeature" testArgs="AHD">
<condition test="checkAuthenticationRoles" testArgs="ROLE_ADMINISTRATOR">
            <option labelKey="NAV_051_ADHOC_REPORT"
2. Following the pattern of conditions for other administrator-only functionality, insert the condition tag for checking role authentication around the option tag to display the Ad Hoc menu item, as shown in the code sample above.

In commercial editions, you must specify the role’s organization ID when restricting access to roles defined in an

organization. There are three ways to specify a role in the commercial edition:

ORG_ROLE|orgID – Explicitly specify a role belonging to an organization.
ORG_ROLE|* – Match the role name in any organization in the user’s scope (parent organizations and root).
SYSTEM_ROLE – Explicitly specify a role defined at the root or system level, such as ROLE_ADMINISTRATOR.

If you want to hide an entire menu, follow the pattern of the Manage menu, which is hidden from non-administrators. In this case, add the test and testArgs attributes to the context tag that displays the menu, as shown in the following sample:

<!-- The Manage menu is displayed only to administrators -->
<context name="main_manage_mutton"
         test="checkAuthenticationRoles" testArgs="ROLE_ADMINISTRATOR">
  <selectAction labelKey="menu.administration">

Restricting a Section of a JSP File by Role

You can use Spring Security’s authorization tags to set up access control on JSP pages:

1. Make sure that the line to import the Spring authz tag is near the beginning of the file. This line is necessary in any JSP file that implements access control:

<%@ taglib uri="" prefix="authz"%>

<%@ taglib prefix="t" uri="" %>
<%@ taglib uri="" prefix="authz"%>
<%@ taglib prefix="c" uri="" %>
<%@ taglib uri="/spring" prefix="spring"%>
<authz:authorize ifAllGranted="ROLE_ADMINISTRATOR">
    <a id="createReports" class="button action jumbo up"><span
      class="wrap"><spring:message code="home.create" javaScriptEscape="true"/>
      </span><span class="icon"></span></a>
</authz:authorize> <![CDATA[
2. Insert the authz:authorize tag for checking role authentication before the element you want to restrict, as shown in the code sample above.

In commercial editions, you must use the js:authorize tag and specify the role’s organization ID when

restricting access to roles defined in an organization. For example:

<js:authorize ifAllGranted="ORG_ROLE|OrgID">...</js:authorize>

You can use the ORG_ROLE|OrgID, ORG_ROLE|*, or SYSTEM_ROLE syntax, as described in Restricting a Menu Item by Role.

See the Spring Security Reference Documentation for more information.

Controlling Access to Web Flows

JasperReports Server uses Spring Web Flow to define and control its UI flow. A Spring flow is a sequence of related pages for which you define states and transitions in relation to your own business logic. In addition to controlling which items users see on the menus, you can control the functionality they can access by setting permissions on web flows.

Be very careful when setting access to existing web flows. UI components that depend on a web flow may not work properly if access to the web flow has been modified.

In this example, suppose you want to ensure users cannot access the Ad Hoc Editor through its URI. To do this, restrict the Ad Hoc web flow to administrative users:

1. Navigate to the Ad Hoc Editor by clicking the Create Ad Hoc View button on the home page. You see the URI for the flow in the navigation bar:


This tells you that the URI for the Ad Hoc Editor flow is adhocFlow.

2. Open the file <js-webapp>/WEB-INF/applicationContext-security.xml for editing.
3. Locate the flowVoter bean. This bean sets the permissions for flows.
<bean id="flowVoter" 
  <property name="flowAccessAttribute" value="FLOW_ACCESS"/>
  <property name="flowDefinitionSource">
	        <!--custom flow permissions -->      adhocFlow=ROLE_ADMINISTRATOR

This bean contains a number of flows set to ROLE_ADMINISTRATOR. Note that adhocFlow does not appear explicitly. However, there is an entry *=ROLE_USER,ROLE_ADMINISTRATOR. This setting determines access for all flows that are not specifically mentioned.

4. Set access for the Ad Hoc flow by adding an entry to restrict access to ROLE_ADMINISTRATOR as shown in the code sample above.

Loading Your Changes

1. Save the modified files and reload the web app in the app server to see the changes (see Reloading the JasperReports Server Web App).
2. When the web app has reloaded, log into JasperReports Server as joeuser. You can see that the button for creating a report is removed, and there is no Create > Create Ad Hoc Report menu item. Log out and log back in as jasperadmin. Both the button and the menu item are visible to administrators.