* build.xml:

  Modified to create an acegi-taglib.jar.

* project.properties:
  Added new property to build acegi-taglib.jar.

* src/net/sf/acegisecurity/taglibs/authz.tld:
  Declare the Acegi Security authz tag library.

* test/net/sf/acegisecurity/taglibs/authz/AuthorizeTagTests.java,
  test/net/sf/acegisecurity/taglibs/authz/AuthorizeTagAttributeTests.java:
  A set of tests that force the creation of a javax.servlet.jsp.Tag
  implementation that authorizes the output of the tag's body if the
  request's principal has or doesn't have certain authorities.

* src/net/sf/acegisecurity/taglibs/authz/AuthorizeTag.java:
  New class.  Implements AuthorizeTagTests and
  AuthorizeTagAttributeTests.

build.xml

@@ -109,18 +109,33 @@
 
 	<target name="fulljar" depends="build,initdist" description="Create JAR file with all Acegi Security System for Spring classes">
 		<delete file="${dist.dir}/${acegi-security.jar}"/>
-		
+
 		<!-- An all classes JAR file, which is provided for compiling web apps
 		only (at runtime all classes should be from web container) -->
 		<jar jarfile="${dist.dir}/${acegi-security.jar}">
 			<fileset dir="${target.classes.dir}">
 				<include name="net/sf/acegisecurity/**"/>
+				<exclude name="net/sf/acegisecurity/taglibs/**"/>
 			</fileset>
 			<manifest>
 				<attribute name="Acegi-Security-System-version" value="${acegi-security-version}"/>
 			</manifest>
 		</jar>
-		
+
+		<!-- The Acegi Security Tag Library JAR -->
+		<jar jarfile="${dist.dir}/${acegi-taglib.jar}">
+			<fileset dir="${target.classes.dir}">
+				<include name="net/sf/acegisecurity/taglibs/**"/>
+				<exclude name="**/*.tld"/>
+			</fileset>
+			<zipfileset dir="${src.dir}/net/sf/acegisecurity/taglibs"
+				prefix="META-INF" includes="*.tld" />
+			<manifest>
+				<attribute name="Acegi-Security-Taglib-version" value="${acegi-security-version}"/>
+				<attribute name="Sealed" value="true"/>
+			</manifest>
+		</jar>
+
 		<!-- The class that has catalina.jar dependencies and thus belongs in
 		Catalina's "Catalina" classloader ($CATALINA_HOME/server/lib directory) -->
 		<jar jarfile="${dist.dir}/acegi-security-catalina-server.jar">
@@ -131,7 +146,7 @@
 				<attribute name="Acegi-Security-System-version" value="${acegi-security-version}"/>
 			</manifest>
 		</jar>
-		
+
 		<!-- All Acegi Security System for Spring classes that belong in Catalina's
 		"Common" classloader ($CATALINA_HOME/common/lib directory) -->
 		<jar jarfile="${dist.dir}/acegi-security-catalina-common.jar">
@@ -149,7 +164,7 @@
 				<attribute name="Acegi-Security-System-version" value="${acegi-security-version}"/>
 			</manifest>
 		</jar>
-		
+
 		<!-- All Acegi Security System for Spring classes that belong in Jetty's
 		"ext" directory -->
 		<jar jarfile="${dist.dir}/acegi-security-jetty-ext.jar">
@@ -166,7 +181,7 @@
 				<attribute name="Acegi-Security-System-version" value="${acegi-security-version}"/>
 			</manifest>
 		</jar>
-		
+
 		<!-- All Acegi Security System for Spring classes that belong in JBoss'
 		"server/your_config/lib" directory -->
 		<jar jarfile="${dist.dir}/acegi-security-jboss-lib.jar">
@@ -183,7 +198,7 @@
 				<attribute name="Acegi-Security-System-version" value="${acegi-security-version}"/>
 			</manifest>
 		</jar>
-		
+
 		<!-- All Acegi Security System for Spring classes that belong in
 		Resin's "lib" directory -->
 		<jar jarfile="${dist.dir}/acegi-security-resin-lib.jar">
@@ -305,7 +320,7 @@
 
 
 	<!--
-		Run tests. 
+		Run tests.
 	-->
 	<target name="tests" depends="buildtests" description="Run tests.">
 

core/src/main/java/org/acegisecurity/taglibs/authz/AuthorizeTag.java

@@ -0,0 +1,132 @@
+/*
+ * The Acegi Security System for Spring is published under the terms
+ * of the Apache Software License.
+ *
+ * Visit http://acegisecurity.sourceforge.net for further details.
+ */
+
+package net.sf.acegisecurity.taglibs.authz;
+
+import net.sf.acegisecurity.Authentication;
+import net.sf.acegisecurity.GrantedAuthorityImpl;
+import net.sf.acegisecurity.context.ContextHolder;
+import net.sf.acegisecurity.context.SecureContext;
+
+import java.util.*;
+
+import javax.servlet.jsp.JspException;
+import javax.servlet.jsp.tagext.Tag;
+import javax.servlet.jsp.tagext.TagSupport;
+
+
+/**
+ * An implementation of {@link javax.servlet.jsp.tagext.Tag} that allows it's
+ * body through if some authorizations are granted to the request's principal.
+ *
+ * @author Francois Beausoleil
+ * @version $Id$
+ */
+public class AuthorizeTag extends TagSupport {
+    //~ Instance fields ========================================================
+
+    private String ifAllGranted = "";
+    private String ifAnyGranted = "";
+    private String ifNotGranted = "";
+
+    //~ Methods ================================================================
+
+    public void setIfAllGranted(String ifAllGranted) {
+        this.ifAllGranted = ifAllGranted;
+    }
+
+    public String getIfAllGranted() {
+        return ifAllGranted;
+    }
+
+    public void setIfAnyGranted(String ifAnyGranted) {
+        this.ifAnyGranted = ifAnyGranted;
+    }
+
+    public String getIfAnyGranted() {
+        return ifAnyGranted;
+    }
+
+    public void setIfNotGranted(String ifNotGranted) {
+        this.ifNotGranted = ifNotGranted;
+    }
+
+    public String getIfNotGranted() {
+        return ifNotGranted;
+    }
+
+    public int doStartTag() throws JspException {
+        if (((null == ifAllGranted) || "".equals(ifAllGranted))
+            && ((null == ifAnyGranted) || "".equals(ifAnyGranted))
+            && ((null == ifNotGranted) || "".equals(ifNotGranted))) {
+            return Tag.SKIP_BODY;
+        }
+
+        final Collection granted = getPrincipalAuthorities();
+
+        if ((null != ifNotGranted) && !"".equals(ifNotGranted)) {
+            Set grantedCopy = retainAll(granted,
+                    parseAuthoritiesString(ifNotGranted));
+
+            if (!grantedCopy.isEmpty()) {
+                return Tag.SKIP_BODY;
+            }
+        }
+
+        if ((null != ifAllGranted) && !"".equals(ifAllGranted)) {
+            if (!granted.containsAll(parseAuthoritiesString(ifAllGranted))) {
+                return Tag.SKIP_BODY;
+            }
+        }
+
+        if ((null != ifAnyGranted) && !"".equals(ifAnyGranted)) {
+            Set grantedCopy = retainAll(granted,
+                    parseAuthoritiesString(ifAnyGranted));
+
+            if (grantedCopy.isEmpty()) {
+                return Tag.SKIP_BODY;
+            }
+        }
+
+        return Tag.EVAL_BODY_INCLUDE;
+    }
+
+    private Collection getPrincipalAuthorities() {
+        SecureContext context = ((SecureContext) ContextHolder.getContext());
+
+        if (null == context) {
+            return Collections.EMPTY_LIST;
+        }
+
+        Authentication currentUser = context.getAuthentication();
+
+        Collection granted = Arrays.asList(currentUser.getAuthorities());
+
+        return granted;
+    }
+
+    private Set parseAuthoritiesString(String authorizationsString) {
+        final Set requiredAuthorities = new HashSet();
+        final StringTokenizer tokenizer;
+        tokenizer = new StringTokenizer(authorizationsString, ",", false);
+
+        while (tokenizer.hasMoreTokens()) {
+            String role = tokenizer.nextToken();
+            requiredAuthorities.add(new GrantedAuthorityImpl(role));
+        }
+
+        return requiredAuthorities;
+    }
+
+    private Set retainAll(final Collection granted,
+        final Set requiredAuthorities) {
+        Set grantedCopy = new HashSet(granted);
+        grantedCopy.retainAll(requiredAuthorities);
+
+        return grantedCopy;
+    }
+}

core/src/main/resources/org/acegisecurity/taglibs/authz.tld

@@ -0,0 +1,53 @@
+<?xml version="1.0" encoding="ISO-8859-1" ?>
+<!DOCTYPE taglib
+        PUBLIC "-//Sun Microsystems, Inc.//DTD JSP Tag Library 1.2//EN"
+        "http://java.sun.com/dtd/web-jsptaglibrary_1_2.dtd">
+<taglib>
+	<tlib-version>1.0</tlib-version>
+	<jsp-version>1.2</jsp-version>
+	<short-name>authz</short-name>
+	<uri>http://acegisecurity.sf.net/authz</uri>
+	<description>
+        Acegi Security Systems Authorization Tag Library
+		$Id$
+	</description>
+
+	<tag>
+		<name>authorize</name>
+		<tag-class>net.sf.acegisecurity.taglibs.authz.AuthorizeTag</tag-class>
+		<description>
+            A simple tag to output or not the body of the tag if the principal
+            has or doesn't have certain authorities.
+		</description>
+
+		<attribute>
+			<name>ifNotGranted</name>
+			<required>false</required>
+			<rtexprvalue>true</rtexprvalue>
+			<description>
+                A comma separated list of roles which the user must not have
+                for the body to be output.
+			</description>
+		</attribute>
+
+		<attribute>
+			<name>ifAllGranted</name>
+			<required>false</required>
+			<rtexprvalue>true</rtexprvalue>
+			<description>
+                A comma separated list of roles which the user must all
+                possess for the body to be output.
+			</description>
+		</attribute>
+
+		<attribute>
+			<name>ifAnyGranted</name>
+			<required>false</required>
+			<rtexprvalue>true</rtexprvalue>
+			<description>
+                A comma separated list of roles, one of which the user must
+                possess for the body to be output.
+			</description>
+		</attribute>
+	</tag>
+</taglib>

core/src/test/java/org/acegisecurity/taglibs/authz/AuthorizeTagAttributeTests.java

@@ -0,0 +1,71 @@
+/*
+ * The Acegi Security System for Spring is published under the terms
+ * of the Apache Software License.
+ *
+ * Visit http://acegisecurity.sourceforge.net for further details.
+ */
+
+package net.sf.acegisecurity.taglibs.authz;
+
+import junit.framework.TestCase;
+
+import net.sf.acegisecurity.GrantedAuthority;
+import net.sf.acegisecurity.GrantedAuthorityImpl;
+import net.sf.acegisecurity.context.ContextHolder;
+import net.sf.acegisecurity.context.SecureContextImpl;
+import net.sf.acegisecurity.providers.TestingAuthenticationToken;
+
+import javax.servlet.jsp.JspException;
+import javax.servlet.jsp.tagext.Tag;
+
+
+/**
+ * DOCUMENT ME!
+ *
+ * @author Francois Beausoleil
+ * @version $Id$
+ */
+public class AuthorizeTagAttributeTests extends TestCase {
+    //~ Instance fields ========================================================
+
+    private final AuthorizeTag authorizeTag = new AuthorizeTag();
+    private SecureContextImpl context;
+    private TestingAuthenticationToken currentUser;
+
+    //~ Methods ================================================================
+
+    public void testAssertsIfAllGrantedSecond() throws JspException {
+        authorizeTag.setIfAllGranted("ROLE_SUPERVISOR,ROLE_SUPERTELLER");
+        authorizeTag.setIfAnyGranted("ROLE_RESTRICTED");
+        assertEquals("prevents request - principal is missing ROLE_SUPERTELLER",
+            Tag.SKIP_BODY, authorizeTag.doStartTag());
+    }
+
+    public void testAssertsIfAnyGrantedLast() throws JspException {
+        authorizeTag.setIfAnyGranted("ROLE_BANKER");
+        assertEquals("prevents request - principal is missing ROLE_BANKER",
+            Tag.SKIP_BODY, authorizeTag.doStartTag());
+    }
+
+    public void testAssertsIfNotGrantedFirst() throws JspException {
+        authorizeTag.setIfNotGranted("ROLE_RESTRICTED");
+        authorizeTag.setIfAllGranted("ROLE_SUPERVISOR,ROLE_RESTRICTED");
+        authorizeTag.setIfAnyGranted("ROLE_SUPERVISOR");
+        assertEquals("prevents request - principal has ROLE_RESTRICTED",
+            Tag.SKIP_BODY, authorizeTag.doStartTag());
+    }
+
+    protected void setUp() throws Exception {
+        super.setUp();
+
+        currentUser = new TestingAuthenticationToken("abc", "123",
+                new GrantedAuthority[] {new GrantedAuthorityImpl(
+                        "ROLE_SUPERVISOR"), new GrantedAuthorityImpl(
+                        "ROLE_RESTRICTED"),});
+
+        context = new SecureContextImpl();
+        context.setAuthentication(currentUser);
+
+        ContextHolder.setContext(context);
+    }
+}

core/src/test/java/org/acegisecurity/taglibs/authz/AuthorizeTagTests.java

@@ -0,0 +1,112 @@
+/*
+ * The Acegi Security System for Spring is published under the terms
+ * of the Apache Software License.
+ *
+ * Visit http://acegisecurity.sourceforge.net for further details.
+ */
+
+package net.sf.acegisecurity.taglibs.authz;
+
+import junit.framework.TestCase;
+
+import net.sf.acegisecurity.GrantedAuthority;
+import net.sf.acegisecurity.GrantedAuthorityImpl;
+import net.sf.acegisecurity.context.ContextHolder;
+import net.sf.acegisecurity.context.SecureContextImpl;
+import net.sf.acegisecurity.providers.TestingAuthenticationToken;
+
+import javax.servlet.jsp.JspException;
+import javax.servlet.jsp.tagext.Tag;
+
+
+/**
+ * DOCUMENT ME!
+ *
+ * @author Francois Beausoleil
+ * @version $Id$
+ */
+public class AuthorizeTagTests extends TestCase {
+    //~ Instance fields ========================================================
+
+    private final AuthorizeTag authorizeTag = new AuthorizeTag();
+    private SecureContextImpl context;
+    private TestingAuthenticationToken currentUser;
+
+    //~ Methods ================================================================
+
+    public void testDefaultsToNotOutputtingBodyWhenNoRequiredAuthorities()
+        throws JspException {
+        assertEquals("", authorizeTag.getIfAllGranted());
+        assertEquals("", authorizeTag.getIfAnyGranted());
+        assertEquals("", authorizeTag.getIfNotGranted());
+
+        assertEquals("prevents body output - no authorities granted",
+            Tag.SKIP_BODY, authorizeTag.doStartTag());
+    }
+
+    public void testOutputsBodyIfOneRolePresent() throws JspException {
+        authorizeTag.setIfAnyGranted("ROLE_TELLER");
+        assertEquals("authorized - ROLE_TELLER in both sets",
+            Tag.EVAL_BODY_INCLUDE, authorizeTag.doStartTag());
+    }
+
+    public void testOutputsBodyWhenAllGranted() throws JspException {
+        authorizeTag.setIfAllGranted("ROLE_SUPERVISOR,ROLE_TELLER");
+        assertEquals("allows request - all required roles granted on principal",
+            Tag.EVAL_BODY_INCLUDE, authorizeTag.doStartTag());
+    }
+
+    public void testOutputsBodyWhenNotGrantedSatisfied()
+        throws JspException {
+        authorizeTag.setIfNotGranted("ROLE_BANKER");
+        assertEquals("allows request - principal doesn't have ROLE_BANKER",
+            Tag.EVAL_BODY_INCLUDE, authorizeTag.doStartTag());
+    }
+
+    public void testSkipsBodyIfNoAnyRolePresent() throws JspException {
+        authorizeTag.setIfAnyGranted("ROLE_BANKER");
+        assertEquals("unauthorized - ROLE_BANKER not in granted authorities",
+            Tag.SKIP_BODY, authorizeTag.doStartTag());
+    }
+
+    public void testSkipsBodyWhenMissingAnAllGranted()
+        throws JspException {
+        authorizeTag.setIfAllGranted("ROLE_SUPERVISOR,ROLE_TELLER,ROLE_BANKER");
+        assertEquals("prevents request - missing ROLE_BANKER on principal",
+            Tag.SKIP_BODY, authorizeTag.doStartTag());
+    }
+
+    public void testSkipsBodyWhenNotGrantedUnsatisfied()
+        throws JspException {
+        authorizeTag.setIfNotGranted("ROLE_TELLER");
+        assertEquals("prevents request - principal has ROLE_TELLER",
+            Tag.SKIP_BODY, authorizeTag.doStartTag());
+    }
+
+    public void testUsesAllAuthoritiesToDetermineAccess() {
+        authorizeTag.setIfAllGranted("ROLE_SUPERVISOR,ROLE_BANKER");
+        authorizeTag.setIfAnyGranted("ROLE_BANKER");
+        authorizeTag.setIfNotGranted("ROLE_RESTRICTED");
+
+        currentUser = new TestingAuthenticationToken("abc", "123",
+                new GrantedAuthority[] {new GrantedAuthorityImpl(
+                        "ROLE_SUPERVISOR"), new GrantedAuthorityImpl(
+                        "ROLE_BANKER"), new GrantedAuthorityImpl(
+                        "ROLE_RESTRICTED"),});
+        context.setAuthentication(currentUser);
+    }
+
+    protected void setUp() throws Exception {
+        super.setUp();
+
+        currentUser = new TestingAuthenticationToken("abc", "123",
+                new GrantedAuthority[] {new GrantedAuthorityImpl(
+                        "ROLE_SUPERVISOR"), new GrantedAuthorityImpl(
+                        "ROLE_TELLER"),});
+
+        context = new SecureContextImpl();
+        context.setAuthentication(currentUser);
+
+        ContextHolder.setContext(context);
+    }
+}

project.properties

@@ -27,6 +27,9 @@ target.testclasses.dir=${target.dir}/test-classes
 # Names of distribution jar files
 acegi-security.jar=acegi-security.jar
 
+# Names of distribution jar files
+acegi-taglib.jar=acegi-security-taglib.jar
+
 # Name of Zip file containing all project sources
 acegi-security-src.zip=acegi-security-src.zip