Authorization Tag Library question

[jefo]

Hi guys,

In my app I have a form login for authentication in the header of all my app pages. I must show de form when the user are not logged in and your data when it's logged. Googling a litle bit I found the authorization tag library, and I have tried this:

Code:

...
<sec:authorize ifNotGranted="ROLE_USER">
  <!-- show the form stuff -->
</sec:authorize>
<sec:authorize ifAllGranted="ROLE_USER">
  <!-- show the user stuff -->
</sec:authorize>
...

But unfortunately this not worked for me. I've tried use the ifAnyGranted attribute but without success.

Any of you guys have some advice to me?!? I´m stucked on this problem and I want to use the power of this taglibs over the overhead of making custom code to handle this.

tks in advice.

[honeybunny]

I am using these tags just fine in my application:

I use them from my navigation JSP

Code:

<%@ taglib prefix='security' uri='http://www.springframework.org/security/tags' %>
..
<security:authorize ifAnyGranted="PERM_USER_ADD">
... render menu item to create new users
</security:authorize>

Question: Are you using spring security in your application elsewhere?

Suggestion: Why don't you make a test page/controller that dumps the person's current login id and roles, then you can see if the tags _should_ work.

[jefo]

Tks honeybunny for your fast reply, but I think I was not clear enough in my last post.

In fact the tag ifNotGranted works for me, my problem is that I cannot use both of them at the same time, let me explain:

I have a box in my layout that I want to show a login form, if the user are not logged, or user´s information, if the user are logged in. Something like this:

Code:

<div class="userBox">
<core:choose>
  <core:when test="${isUserLogged}">
    <form name="f" action="j_spring_security_check" method="POST">
    <input type="text" name="j_username" class="campo_user" size="15" value=""/><br />
    <input type="password" name="j_password" class="campo_user" value="" size="15" /><br />
    <input type="submit" />
    </form>
  </core:when>
  <core:otherwise>
    welcome <span><core:out value="${user.name}"/></span>
  </core:otherwise>
</core:choose>
</div>

I want to avoid to do that cause I will have to handle if the user are logged and wrap this information to my view in every controller of my application.
I´ve done one attempt to do that using a combination of authorize tags with ifNotGranted and ifAnyGranted attributes, the code in my first post, but I have realised that just the block with ifNotGranted are rendered, even when my user are logged in.

I hope I make myself a little bit more clear now.

Tks in advance.

[honeybunny]

that just the block with ifNotGranted are rendered, even when my even when my user are logged in.

This suggests that the tag library is not seeing your GrantedAuthorities or are not named in a way that matches your JSP:

From your controller try this:

Code:

SecurityContext context = SecurityContextHolder.getContext();
Authentication auth = context.getAuthentication();
pageModel.put("authorities", auth.getAuthorities());

Then list them in your JSP. There may be a built in tag that exposes granted authorities this too, but you can log them in your controller if you think the tag library

[jefo]

After your advice and some tests I realised that my index controller are without any filters

<security:intercept-url pattern="/index.html" filters="none" />

I've changed to

<security:intercept-url pattern="/index.html" access="IS_AUTHENTICATED_ANONYMOUSLY" />

And everything works great.

Tks.