Announcement Announcement Module
Collapse
No announcement yet.
<sec:authorize is there a showIfNOTGranted? Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • <sec:authorize is there a showIfNOTGranted?

    Hi,

    I've been reading about the Spring Security <sec:authorize tag, all the examples are assuming that you want to hide something if the user is not authorised.

    eg

    <sec:authorize ifAllGranted="ROLE_SUPERVISOR">
    Hello, you are a Supervisor
    </sec:authorize>

    ...but is there a way to show something if you are NOT authorized?

    eg
    <sec:authorize ifNOTGranted="ROLE_SUPERVISOR">
    Go away! You are NOT a Supervisor!
    </sec:authorize>

    Obviously it would be easy to write my own tag, but wonder if the Spring one provided this functionality?


    Thanks

    David Bevan

  • #2
    see http://static.springframework.org/sp...on-common.html, paragraph 22.4:

    The security:authorize tag declares the following attributes:

    * ifAllGranted: All the listed roles must be granted for the tag to output its body.
    * ifAnyGranted: Any of the listed roles must be granted for the tag to output its body.
    * ifNotGranted: None of the listed roles must be granted for the tag to output its body.

    Comment


    • #3
      Hey,
      what I'd need is a tag to check if the user is logged in at all, nevermind his roles? One solution would be: ifAnyGranted="ROLE_A, ROLE_B, .. " but that doesnt seem to be optimal since forgetting only one role might cause a stupid security 'bug'.
      What I did for now is:
      Code:
      <c:set var="loggedInUser"><sec:authentication property="principal"/></c:set>	
      	<c:choose>
      	<c:when test="${loggedInUser == 'roleAnonymous' }">
      	...
      But that doesn't seem optimal neither, I don't like this == 'roleAnonymous' (is it said anywhere that this string won't change somewhere/somehow? I dont think so).

      Another solution would be to give everybody ROLE_WHATEVER and assume that not having ROLE_WHATEVER means you're not logged in. But this seems like a workaround, what's the best solution?

      Thanks,
      Kornel

      Comment


      • #4
        if i'm not mistaken spring security will give everyone that isn't authenticated "ROLE_ANONYMOUS" and everyone who is authenticated "ROLE_AUTHENTICATED" automatically.

        Unfortunately, i can't find any reference or documentation that states this.

        Comment


        • #5
          Hi all.

          I have a problem with security:authorize too. I debugged the code and I've seen that in AuthorizeTag:129

          Code:
          Authentication currentUser = SecurityContextHolder.getContext().getAuthentication();
          return null. Why can this be?

          Comment


          • #6
            after successful authentication? You're using Spring Security, right? I've never had an issue like this, you sure the user is logged in?

            Comment


            • #7
              Originally posted by Kornel View Post
              after successful authentication? You're using Spring Security, right? I've never had an issue like this, you sure the user is logged in?
              Just fixed this - I had

              Code:
              <intercept-url pattern="/home" filters="none" />
              After changing to

              Code:
              <intercept-url pattern="/home" access="ROLE_ANONYMOUS,ROLE_USER" />
              all worked.

              Comment

              Working...
              X