Authorization Tag Library question

Hi guys,

In my app I have a form login for authentication in the header of all my app pages. I must show de form when the user are not logged in and your data when it's logged. Googling a litle bit I found the authorization tag library, and I have tried this:

Code:

---

...
<sec:authorize ifNotGranted="ROLE_USER">
  <!-- show the form stuff -->
</sec:authorize>
<sec:authorize ifAllGranted="ROLE_USER">
  <!-- show the user stuff -->
</sec:authorize>
...

---

But unfortunately this not worked for me. I've tried use the ifAnyGranted attribute but without success.

Any of you guys have some advice to me?!? I´m stucked on this problem and I want to use the power of this taglibs over the overhead of making custom code to handle this.

tks in advice.

I am using these tags just fine in my application:

I use them from my navigation JSP

Code:

---

<%@ taglib prefix='security' uri='http://www.springframework.org/security/tags' %>
..
<security:authorize ifAnyGranted="PERM_USER_ADD">
... render menu item to create new users
</security:authorize>

---

Question: Are you using spring security in your application elsewhere?

Suggestion: Why don't you make a test page/controller that dumps the person's current login id and roles, then you can see if the tags _should_ work.

Tks honeybunny for your fast reply, but I think I was not clear enough in my last post.

In fact the tag ifNotGranted works for me, my problem is that I cannot use both of them at the same time, let me explain:

I have a box in my layout that I want to show a login form, if the user are not logged, or user´s information, if the user are logged in. Something like this:

Code:

---

<div class="userBox">
<core:choose>
  <core:when test="${isUserLogged}">
    <form name="f" action="j_spring_security_check" method="POST">
    <input type="text" name="j_username" class="campo_user" size="15" value=""/><br />
    <input type="password" name="j_password" class="campo_user" value="" size="15" /><br />
    <input type="submit" />
    </form>
  </core:when>
  <core:otherwise>
    welcome <span><core:out value="${user.name}"/></span>
  </core:otherwise>
</core:choose>
</div>

---

I want to avoid to do that cause I will have to handle if the user are logged and wrap this information to my view in every controller of my application.
I´ve done one attempt to do that using a combination of authorize tags with ifNotGranted and ifAnyGranted attributes, the code in my first post, but I have realised that just the block with ifNotGranted are rendered, even when my user are logged in.

I hope I make myself a little bit more clear now.

Tks in advance.

Quote:

---

that just the block with ifNotGranted are rendered, even when my even when my user are logged in.

---

This suggests that the tag library is not seeing your GrantedAuthorities or are not named in a way that matches your JSP:

From your controller try this:

Code:

---

SecurityContext context = SecurityContextHolder.getContext();
Authentication auth = context.getAuthentication();
pageModel.put("authorities", auth.getAuthorities());

---

Then list them in your JSP. There may be a built in tag that exposes granted authorities this too, but you can log them in your controller if you think the tag library

After your advice and some tests I realised that my index controller are without any filters

<security:intercept-url pattern="/index.html" filters="none" />

I've changed to

<security:intercept-url pattern="/index.html" access="IS_AUTHENTICATED_ANONYMOUSLY" />

And everything works great.

Tks.