Authorization Tag Libraries

AuthorizeTag is used to include content if the current principal holds certain GrantedAuthoritys.

The following JSP fragment illustrates how to use the AuthorizeTag:


<security:authorize ifAllGranted="ROLE_SUPERVISOR">
<td>
  <a href="del.htm?id=<c:out value="${contact.id}"/>">Del</a>
</td>
</security:authorize>

This tag would cause the tag's body to be output if the principal has been granted ROLE_SUPERVISOR.

The security:authorize tag declares the following attributes:

You'll note that in each attribute you can list multiple roles. Simply separate the roles using a comma. The authorize tag ignores whitespace in attributes.

The tag library logically ANDs all of it's parameters together. This means that if you combine two or more attributes, all attributes must be true for the tag to output it's body. Don't add an ifAllGranted="ROLE_SUPERVISOR", followed by an ifNotGranted="ROLE_SUPERVISOR", or you'll be surprised to never see the tag's body.

By requiring all attributes to return true, the authorize tag allows you to create more complex authorization scenarios. For example, you could declare an ifAllGranted="ROLE_SUPERVISOR" and an ifNotGranted="ROLE_NEWBIE_SUPERVISOR" in the same tag, in order to prevent new supervisors from seeing the tag body. However it would no doubt be simpler to use ifAllGranted="ROLE_EXPERIENCED_SUPERVISOR" rather than inserting NOT conditions into your design.

One last item: the tag verifies the authorizations in a specific order: first ifNotGranted, then ifAllGranted, and finally, if AnyGranted.

AccessControlListTag is used to include content if the current principal has an ACL to the indicated domain object.

The following JSP fragment illustrates how to use the AccessControlListTag:

<security:accesscontrollist domainObject="${contact}" hasPermission="8,16">
<td><a href="<c:url value="del.htm"><c:param name="contactId" value="${contact.id}"/></c:url>">Del</a></td>
</security:accesscontrollist>

This tag would cause the tag's body to be output if the principal holds either permission 16 or permission 1 for the "contact" domain object. The numbers are actually integers that are used with BasePermission bit masking. Please refer to the ACL section of this reference guide to understand more about the ACL capabilities of Spring Security.

AclTag is part of the old ACL module and should be considered deprecated. For the sake of historical reference, works exactly the samae as AccessControlListTag.