AuthorizeTag
is used to include content if
the current principal holds certain
GrantedAuthority
s.
The following JSP fragment illustrates how to use the
AuthorizeTag
:
<security:authorize ifAllGranted="ROLE_SUPERVISOR"> <td> <a href="del.htm?id=<c:out value="${contact.id}"/>">Del</a> </td> </security:authorize>
This tag would cause the tag's body to be output if the principal has been granted ROLE_SUPERVISOR.
The security:authorize
tag declares the
following attributes:
ifAllGranted
: All the listed roles must
be granted for the tag to output its body.
ifAnyGranted
: Any of the listed roles
must be granted for the tag to output its body.
ifNotGranted
: None of the listed roles
must be granted for the tag to output its body.
You'll note that in each attribute you can list multiple roles.
Simply separate the roles using a comma. The
authorize
tag ignores whitespace in
attributes.
The tag library logically ANDs all of it's parameters together.
This means that if you combine two or more attributes, all attributes
must be true for the tag to output it's body. Don't add an
ifAllGranted="ROLE_SUPERVISOR"
, followed by an
ifNotGranted="ROLE_SUPERVISOR"
, or you'll be
surprised to never see the tag's body.
By requiring all attributes to return true, the authorize tag
allows you to create more complex authorization scenarios. For
example, you could declare an
ifAllGranted="ROLE_SUPERVISOR"
and an
ifNotGranted="ROLE_NEWBIE_SUPERVISOR"
in the same
tag, in order to prevent new supervisors from seeing the tag body.
However it would no doubt be simpler to use
ifAllGranted="ROLE_EXPERIENCED_SUPERVISOR"
rather
than inserting NOT conditions into your design.
One last item: the tag verifies the authorizations in a specific
order: first ifNotGranted
, then
ifAllGranted
, and finally, if
AnyGranted
.
AccessControlListTag
is used to include
content if the current principal has an ACL to the indicated domain
object.
The following JSP fragment illustrates how to use the
AccessControlListTag
:
<security:accesscontrollist domainObject="${contact}" hasPermission="8,16"> <td><a href="<c:url value="del.htm"><c:param name="contactId" value="${contact.id}"/></c:url>">Del</a></td> </security:accesscontrollist>
This tag would cause the tag's body to be output if the
principal holds either permission 16 or permission 1 for the "contact"
domain object. The numbers are actually integers that are used with
BasePermission
bit masking. Please refer to the ACL
section of this reference guide to understand more about the ACL
capabilities of Spring Security.
AclTag
is part of the old ACL module and
should be considered deprecated. For the sake of historical reference,
works exactly the samae as
AccessControlListTag
.