<sec:authorize is there a showIfNOTGranted?

**dabevan** · Mar 4th, 2009, 11:05 AM

Hi,

I've been reading about the Spring Security <sec:authorize tag, all the examples are assuming that you want to hide something if the user is not authorised.

eg

<sec:authorize ifAllGranted="ROLE_SUPERVISOR">
Hello, you are a Supervisor
</sec:authorize>

...but is there a way to show something if you are NOT authorized?

eg
<sec:authorize ifNOTGranted="ROLE_SUPERVISOR">
Go away! You are NOT a Supervisor!
</sec:authorize>

Obviously it would be easy to write my own tag, but wonder if the Spring one provided this functionality?

Thanks

David Bevan

**davymeers** · Mar 4th, 2009, 12:49 PM

see http://static.springframework.org/sp...on-common.html, paragraph 22.4:

The security:authorize tag declares the following attributes:

* ifAllGranted: All the listed roles must be granted for the tag to output its body.
* ifAnyGranted: Any of the listed roles must be granted for the tag to output its body.
* ifNotGranted: None of the listed roles must be granted for the tag to output its body.

**Kornel** · Apr 9th, 2009, 12:43 PM

Hey,
what I'd need is a tag to check if the user is logged in at all, nevermind his roles? One solution would be: ifAnyGranted="ROLE_A, ROLE_B, .. " but that doesnt seem to be optimal since forgetting only one role might cause a stupid security 'bug'.
What I did for now is:

Code:

<c:set var="loggedInUser"><sec:authentication property="principal"/></c:set>	
	<c:choose>
	<c:when test="${loggedInUser == 'roleAnonymous' }">
	...

But that doesn't seem optimal neither, I don't like this == 'roleAnonymous' (is it said anywhere that this string won't change somewhere/somehow? I dont think so).

Another solution would be to give everybody ROLE_WHATEVER and assume that not having ROLE_WHATEVER means you're not logged in. But this seems like a workaround, what's the best solution?

Thanks,
Kornel

**davymeers** · Apr 9th, 2009, 01:14 PM

if i'm not mistaken spring security will give everyone that isn't authenticated "ROLE_ANONYMOUS" and everyone who is authenticated "ROLE_AUTHENTICATED" automatically.

Unfortunately, i can't find any reference or documentation that states this.

**Bohtvaroh** · Apr 17th, 2009, 08:32 AM

Hi all.

I have a problem with security:authorize too. I debugged the code and I've seen that in AuthorizeTag:129

Code:

Authentication currentUser = SecurityContextHolder.getContext().getAuthentication();

return null. Why can this be?

**Kornel** · Apr 17th, 2009, 09:03 AM

after successful authentication? You're using Spring Security, right? I've never had an issue like this, you sure the user is logged in?

**Bohtvaroh** · Apr 17th, 2009, 09:13 AM

Originally Posted by Kornel

after successful authentication? You're using Spring Security, right? I've never had an issue like this, you sure the user is logged in?

Just fixed this - I had

Code:

<intercept-url pattern="/home" filters="none" />

After changing to

Code:

<intercept-url pattern="/home" access="ROLE_ANONYMOUS,ROLE_USER" />

all worked.

Thread: <sec:authorize is there a showIfNOTGranted?

Thread Tools

Display

<sec:authorize is there a showIfNOTGranted?

Tags for this Thread

Posting Permissions