|
|
@@ -1,4 +1,4 @@
|
|
|
-<?xml version="1.0" encoding="UTF-8"?>
|
|
|
+<?xml version="1.0" encoding="UTF-8"?>
|
|
|
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"
|
|
|
"../lib/docbook-dtd/docbookx.dtd">
|
|
|
<book>
|
|
|
@@ -910,32 +910,115 @@ public boolean supports(ConfigAttribute attribute);</programlisting></para>
|
|
|
</itemizedlist>
|
|
|
</sect2>
|
|
|
|
|
|
- <sect2>
|
|
|
- <title>Authorization Tag Library</title>
|
|
|
-
|
|
|
- <para>The Acegi Security System for Spring comes bundled with a
|
|
|
- JSP tag library that eases JSP writing.</para>
|
|
|
-
|
|
|
- <sect3>
|
|
|
- <title>Installation</title>
|
|
|
- </sect3>
|
|
|
-
|
|
|
- <sect3>
|
|
|
- <title>Usage</title>
|
|
|
-
|
|
|
- <para>The following JSP fragment illustrates how to use the
|
|
|
- authz taglib:</para>
|
|
|
-
|
|
|
- <para><programlisting><authz:authorize ifAllGranted="ROLE_SUPERVISOR">
|
|
|
- <td>
|
|
|
- <A HREF="del.htm?id=<c:out value="${contact.id}"/>">Del</A>
|
|
|
- </td>
|
|
|
-</authz:authorize></programlisting></para>
|
|
|
-
|
|
|
- <para>What this code says is: if the pricipal has been granted
|
|
|
- ROLE_SUPERVISOR, allow the tag's body to be output.</para>
|
|
|
- </sect3>
|
|
|
- </sect2>
|
|
|
+ <sect2>
|
|
|
+ <title>Authorization Tag Library</title>
|
|
|
+
|
|
|
+ <para>The Acegi Security System for Spring comes bundled with a
|
|
|
+ JSP tag library that eases JSP writing.</para>
|
|
|
+
|
|
|
+ <para>This library simply wraps some bits of Java code, for
|
|
|
+ easy reuse. The tag library also allows the JSP developer to
|
|
|
+ determine if a principal has, doesn't have or has any of a
|
|
|
+ specified set of roles.</para>
|
|
|
+
|
|
|
+ <sect3>
|
|
|
+ <title>Usage</title>
|
|
|
+
|
|
|
+ <para>The following JSP fragment illustrates how to use the
|
|
|
+ authz taglib:</para>
|
|
|
+
|
|
|
+ <para>
|
|
|
+ <programlisting><authz:authorize ifAllGranted="ROLE_SUPERVISOR">
|
|
|
+ <td>
|
|
|
+ <A HREF="del.htm?id=<c:out value="${contact.id}"/>">Del</A>
|
|
|
+ </td>
|
|
|
+</authz:authorize></programlisting>
|
|
|
+ </para>
|
|
|
+
|
|
|
+ <para>This code was copied from the Contacts sample
|
|
|
+ application.</para>
|
|
|
+
|
|
|
+ <para>What this code says is: if the pricipal has been granted
|
|
|
+ ROLE_SUPERVISOR, allow the tag's body to be output.</para>
|
|
|
+ </sect3>
|
|
|
+
|
|
|
+ <sect3>
|
|
|
+ <title>Installation</title>
|
|
|
+
|
|
|
+ <para>Installation is a simple matter-simply copy the
|
|
|
+ acegi-security-taglib.jar file to your application's
|
|
|
+ WEB-INF/lib folder. The tag library includes it's TLD,
|
|
|
+ which makes it easier to work with JSP 1.2+ containers.</para>
|
|
|
+
|
|
|
+ <para>If you are using a JSP 1.1 container, you will need to
|
|
|
+ declare the JSP tag library in your application's web.xml file,
|
|
|
+ with code such as this:</para>
|
|
|
+
|
|
|
+ <para>
|
|
|
+ <programlisting><taglib>
|
|
|
+ <taglib-uri>http://acegisecurity.sf.net/authz</taglib-uri>
|
|
|
+ <taglib-location>/WEB-INF/authz.tld</taglib-location>
|
|
|
+</taglib></programlisting>
|
|
|
+ </para>
|
|
|
+
|
|
|
+ <para>You will also need to extract the authz.tld file from
|
|
|
+ the acegi-security-taglib.jar file. Use a regular Zip tool,
|
|
|
+ or use Java's JAR utility.</para>
|
|
|
+ </sect3>
|
|
|
+
|
|
|
+ <sect3>
|
|
|
+ <title>Reference</title>
|
|
|
+
|
|
|
+ <para>The
|
|
|
+ <literal>authz:authorize</literal> tag declares the
|
|
|
+ following attributes:
|
|
|
+ </para>
|
|
|
+
|
|
|
+ <para>
|
|
|
+ <itemizedlist spacing="compact">
|
|
|
+ <listitem><para>
|
|
|
+ <literal>ifAllGranted</literal>: All the listed
|
|
|
+ roles must be granted for the tag to output it's
|
|
|
+ body.
|
|
|
+ </para></listitem>
|
|
|
+ <listitem><para>
|
|
|
+ <literal>ifAnyGranted</literal>: Any of the
|
|
|
+ listed roles must be granted for the tag to output
|
|
|
+ it's body.
|
|
|
+ </para></listitem>
|
|
|
+ <listitem><para>
|
|
|
+ <literal>ifNotGranted</literal>: None of the
|
|
|
+ listed roles must be granted for the tag to output
|
|
|
+ it's body.
|
|
|
+ </para></listitem>
|
|
|
+ </itemizedlist>
|
|
|
+ </para>
|
|
|
+
|
|
|
+ <para>You'll note that in each attribute you can list multiple
|
|
|
+ roles. Simply separate the roles using a comma. The
|
|
|
+ <literal>authorize</literal> tag ignores whitespace in
|
|
|
+ attributes.</para>
|
|
|
+
|
|
|
+ <para>The tag library logically ANDs all of it's parameters
|
|
|
+ together. This means that if you combine two or more
|
|
|
+ attributes, they all must be true for the tag to output it's
|
|
|
+ body. Don't add an
|
|
|
+ <literal>ifAllGranted="ROLE_SUPERVISOR"</literal>, followed by
|
|
|
+ an <literal>ifNotGranted="ROLE_SUPERVISOR"</literal>, or
|
|
|
+ you'll be surprised to never see the tag's body.</para>
|
|
|
+
|
|
|
+ <para>One last item: the tag verifies the authorizations in a
|
|
|
+ specific order: first <literal>ifNotGranted</literal>, then
|
|
|
+ <literal>ifAllGranted</literal>, and finally,
|
|
|
+ <literal>ifAnyGranted</literal>.
|
|
|
+ </para>
|
|
|
+
|
|
|
+ <para>This might or might not be important to you, depending
|
|
|
+ on how your authorization scheme is defined, but it allows you
|
|
|
+ to express concepts like: principal is a SUPERVISOR, but not
|
|
|
+ a NEWBIE_SUPERVISOR.</para>
|
|
|
+ </sect3>
|
|
|
+ </sect2>
|
|
|
</sect1>
|
|
|
|
|
|
<sect1>
|
Francois Beausoleil