SEC-1675: Add missing body-content elements to tag descriptor and update it to use 2.0 tag library schema.

itest/web/src/main/webapp/WEB-INF/security.tld

@@ -1,174 +1,178 @@
 <?xml version="1.0" encoding="ISO-8859-1" ?>
-<!DOCTYPE taglib
-        PUBLIC "-//Sun Microsystems, Inc.//DTD JSP Tag Library 1.2//EN"
-        "http://java.sun.com/dtd/web-jsptaglibrary_1_2.dtd">
-<taglib>
-    <tlib-version>1.0</tlib-version>
-    <jsp-version>1.2</jsp-version>
+
+<taglib xmlns="http://java.sun.com/xml/ns/j2ee"
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-jsptaglibrary_2_0.xsd"
+        version="2.0">
+    <description>Spring Security Authorization Tag Library</description>
+
+    <tlib-version>3.1</tlib-version>
     <short-name>security</short-name>
     <uri>http://www.springframework.org/security/tags</uri>
-    <description>
-        Spring Security Authorization Tag Library
-    </description>
 
     <tag>
-        <name>authorize</name>
-        <tag-class>org.springframework.security.taglibs.authz.JspAuthorizeTag</tag-class>
         <description>
             A tag which outputs the body of the tag if the configured access expression
             evaluates to true for the currently authenticated principal.
         </description>
+        <name>authorize</name>
+        <tag-class>org.springframework.security.taglibs.authz.JspAuthorizeTag</tag-class>
+        <body-content>JSP</body-content>
 
         <attribute>
-            <name>access</name>
-            <required>false</required>
-            <rtexprvalue>true</rtexprvalue>
             <description>
                 A Spring-EL expression which is supported by the WebSecurityExpressionHandler
                 in the application context. The latter will be used to evaluate the expression.
             </description>
+            <name>access</name>
+            <required>false</required>
+            <rtexprvalue>true</rtexprvalue>
         </attribute>
 
         <attribute>
-            <name>url</name>
-            <required>false</required>
-            <rtexprvalue>true</rtexprvalue>
             <description>
                 A URL within the application. If the user has access to this URL (as determined by
                 the AccessDecisionManager), the tag body will be evaluated. If not, it will
                 be skipped.
             </description>
+            <name>url</name>
+            <required>false</required>
+            <rtexprvalue>true</rtexprvalue>
         </attribute>
 
         <attribute>
-            <name>method</name>
-            <required>false</required>
-            <rtexprvalue>false</rtexprvalue>
             <description>
                 Can optionally be used to narrow down the HTTP method (typically GET or POST) to which the URL
                 applies to. Only has any meaning when used in combination with the "url" attribute.
             </description>
+            <name>method</name>
+            <required>false</required>
+            <rtexprvalue>false</rtexprvalue>
         </attribute>
 
         <attribute>
-            <name>var</name>
-            <required>false</required>
-            <rtexprvalue>false</rtexprvalue>
             <description>
                 A page scoped variable into which the boolean result of the tag evaluation will be written, allowing the
                 same condition to be reused subsequently in the page without re-evaluation.
             </description>
+            <name>var</name>
+            <required>false</required>
+            <rtexprvalue>false</rtexprvalue>
         </attribute>
 
         <attribute>
-            <name>ifNotGranted</name>
-            <required>false</required>
-            <rtexprvalue>true</rtexprvalue>
             <description>
                 A comma separated list of roles which the user must not have
                 for the body to be output. Deprecated in favour of the access expression.
             </description>
+            <name>ifNotGranted</name>
+            <required>false</required>
+            <rtexprvalue>true</rtexprvalue>
         </attribute>
 
         <attribute>
-            <name>ifAllGranted</name>
-            <required>false</required>
-            <rtexprvalue>true</rtexprvalue>
             <description>
                 A comma separated list of roles which the user must all
                 possess for the body to be output. Deprecated in favour of the access expression.
             </description>
+            <name>ifAllGranted</name>
+            <required>false</required>
+            <rtexprvalue>true</rtexprvalue>
         </attribute>
 
         <attribute>
-            <name>ifAnyGranted</name>
-            <required>false</required>
-            <rtexprvalue>true</rtexprvalue>
             <description>
                 A comma separated list of roles, one of which the user must
                 possess for the body to be output. Deprecated in favour of the access expression.
             </description>
+            <name>ifAnyGranted</name>
+            <required>false</required>
+            <rtexprvalue>true</rtexprvalue>
         </attribute>
     </tag>
 
     <tag>
-        <name>authentication</name>
-        <tag-class>org.springframework.security.taglibs.authz.AuthenticationTag</tag-class>
         <description>
             Allows access to the current Authentication object.
         </description>
+        <name>authentication</name>
+        <tag-class>org.springframework.security.taglibs.authz.AuthenticationTag</tag-class>
+        <body-content>empty</body-content>
 
         <attribute>
-            <name>property</name>
-            <required>true</required>
-            <rtexprvalue>true</rtexprvalue>
             <description>
                 Property of the Authentication object which should be output. Supports nested
                 properties. For example if the principal object is an instance of UserDetails,
                 the property "principal.username" will return the username. Alternatively, using
                 "name" will call getName method on the Authentication object directly.
             </description>
+            <name>property</name>
+            <required>true</required>
+            <rtexprvalue>true</rtexprvalue>
         </attribute>
         <attribute>
-            <name>var</name>
-            <required>false</required>
-            <rtexprvalue>false</rtexprvalue>
             <description>
                 Name of the exported scoped variable which will contain the
                 evaluated property of the Authentication object.
             </description>
+            <name>var</name>
+            <required>false</required>
+            <rtexprvalue>false</rtexprvalue>
         </attribute>
         <attribute>
-            <description>Set HTML escaping for this tag, as a boolean value.</description>
+            <description>
+                Set HTML escaping for this tag, as a boolean value.
+            </description>
             <name>htmlEscape</name>
             <required>false</required>
             <rtexprvalue>true</rtexprvalue>
         </attribute>
         <attribute>
-            <name>scope</name>
-            <required>false</required>
-            <rtexprvalue>false</rtexprvalue>
             <description>
                 Scope for var.
             </description>
+            <name>scope</name>
+            <required>false</required>
+            <rtexprvalue>false</rtexprvalue>
         </attribute>
     </tag>
 
     <tag>
-        <name>accesscontrollist</name>
-        <tag-class>org.springframework.security.taglibs.authz.AccessControlListTag</tag-class>
         <description>
             Allows inclusion of a tag body if the current Authentication
             has one of the specified permissions to the presented
             domain object instance.
         </description>
+        <name>accesscontrollist</name>
+        <tag-class>org.springframework.security.taglibs.authz.AccessControlListTag</tag-class>
+        <body-content>JSP</body-content>
 
         <attribute>
-            <name>hasPermission</name>
-            <required>true</required>
-            <rtexprvalue>true</rtexprvalue>
             <description>
                 A comma separated list of permissions, which will be converted to
                 Permission instances by the configured PermissionFactory.
             </description>
-        </attribute>
-        <attribute>
-            <name>domainObject</name>
+            <name>hasPermission</name>
             <required>true</required>
             <rtexprvalue>true</rtexprvalue>
+        </attribute>
+        <attribute>
             <description>
                 The actual domain object instance for which permissions
                 are being evaluated.
             </description>
+            <name>domainObject</name>
+            <required>true</required>
+            <rtexprvalue>true</rtexprvalue>
         </attribute>
         <attribute>
-            <name>var</name>
-            <required>false</required>
-            <rtexprvalue>false</rtexprvalue>
             <description>
                 A page scoped variable into which the boolean result of the tag evaluation will be written, allowing the
                 same condition to be reused subsequently in the page without re-evaluation.
             </description>
+            <name>var</name>
+            <required>false</required>
+            <rtexprvalue>false</rtexprvalue>
         </attribute>
     </tag>
 

taglibs/src/main/resources/META-INF/security.tld

@@ -1,174 +1,178 @@
 <?xml version="1.0" encoding="ISO-8859-1" ?>
-<!DOCTYPE taglib
-        PUBLIC "-//Sun Microsystems, Inc.//DTD JSP Tag Library 1.2//EN"
-        "http://java.sun.com/dtd/web-jsptaglibrary_1_2.dtd">
-<taglib>
-    <tlib-version>1.1.1</tlib-version>
-    <jsp-version>1.2</jsp-version>
+
+<taglib xmlns="http://java.sun.com/xml/ns/j2ee"
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-jsptaglibrary_2_0.xsd"
+        version="2.0">
+    <description>Spring Security Authorization Tag Library</description>
+
+    <tlib-version>3.1</tlib-version>
     <short-name>security</short-name>
     <uri>http://www.springframework.org/security/tags</uri>
-    <description>
-        Spring Security Authorization Tag Library
-    </description>
 
     <tag>
-        <name>authorize</name>
-        <tag-class>org.springframework.security.taglibs.authz.JspAuthorizeTag</tag-class>
         <description>
             A tag which outputs the body of the tag if the configured access expression
             evaluates to true for the currently authenticated principal.
         </description>
+        <name>authorize</name>
+        <tag-class>org.springframework.security.taglibs.authz.JspAuthorizeTag</tag-class>
+        <body-content>JSP</body-content>
 
         <attribute>
-            <name>access</name>
-            <required>false</required>
-            <rtexprvalue>true</rtexprvalue>
             <description>
                 A Spring-EL expression which is supported by the WebSecurityExpressionHandler
                 in the application context. The latter will be used to evaluate the expression.
             </description>
+            <name>access</name>
+            <required>false</required>
+            <rtexprvalue>true</rtexprvalue>
         </attribute>
 
         <attribute>
-            <name>url</name>
-            <required>false</required>
-            <rtexprvalue>true</rtexprvalue>
             <description>
                 A URL within the application. If the user has access to this URL (as determined by
                 the AccessDecisionManager), the tag body will be evaluated. If not, it will
                 be skipped.
             </description>
+            <name>url</name>
+            <required>false</required>
+            <rtexprvalue>true</rtexprvalue>
         </attribute>
 
         <attribute>
-            <name>method</name>
-            <required>false</required>
-            <rtexprvalue>false</rtexprvalue>
             <description>
                 Can optionally be used to narrow down the HTTP method (typically GET or POST) to which the URL
                 applies to. Only has any meaning when used in combination with the "url" attribute.
             </description>
+            <name>method</name>
+            <required>false</required>
+            <rtexprvalue>false</rtexprvalue>
         </attribute>
 
         <attribute>
-            <name>var</name>
-            <required>false</required>
-            <rtexprvalue>false</rtexprvalue>
             <description>
                 A page scoped variable into which the boolean result of the tag evaluation will be written, allowing the
                 same condition to be reused subsequently in the page without re-evaluation.
             </description>
+            <name>var</name>
+            <required>false</required>
+            <rtexprvalue>false</rtexprvalue>
         </attribute>
 
         <attribute>
-            <name>ifNotGranted</name>
-            <required>false</required>
-            <rtexprvalue>true</rtexprvalue>
             <description>
                 A comma separated list of roles which the user must not have
                 for the body to be output. Deprecated in favour of the access expression.
             </description>
+            <name>ifNotGranted</name>
+            <required>false</required>
+            <rtexprvalue>true</rtexprvalue>
         </attribute>
 
         <attribute>
-            <name>ifAllGranted</name>
-            <required>false</required>
-            <rtexprvalue>true</rtexprvalue>
             <description>
                 A comma separated list of roles which the user must all
                 possess for the body to be output. Deprecated in favour of the access expression.
             </description>
+            <name>ifAllGranted</name>
+            <required>false</required>
+            <rtexprvalue>true</rtexprvalue>
         </attribute>
 
         <attribute>
-            <name>ifAnyGranted</name>
-            <required>false</required>
-            <rtexprvalue>true</rtexprvalue>
             <description>
                 A comma separated list of roles, one of which the user must
                 possess for the body to be output. Deprecated in favour of the access expression.
             </description>
+            <name>ifAnyGranted</name>
+            <required>false</required>
+            <rtexprvalue>true</rtexprvalue>
         </attribute>
     </tag>
 
     <tag>
-        <name>authentication</name>
-        <tag-class>org.springframework.security.taglibs.authz.AuthenticationTag</tag-class>
         <description>
             Allows access to the current Authentication object.
         </description>
+        <name>authentication</name>
+        <tag-class>org.springframework.security.taglibs.authz.AuthenticationTag</tag-class>
+        <body-content>empty</body-content>
 
         <attribute>
-            <name>property</name>
-            <required>true</required>
-            <rtexprvalue>true</rtexprvalue>
             <description>
                 Property of the Authentication object which should be output. Supports nested
                 properties. For example if the principal object is an instance of UserDetails,
                 the property "principal.username" will return the username. Alternatively, using
                 "name" will call getName method on the Authentication object directly.
             </description>
+            <name>property</name>
+            <required>true</required>
+            <rtexprvalue>true</rtexprvalue>
         </attribute>
         <attribute>
-            <name>var</name>
-            <required>false</required>
-            <rtexprvalue>false</rtexprvalue>
             <description>
                 Name of the exported scoped variable which will contain the
                 evaluated property of the Authentication object.
             </description>
+            <name>var</name>
+            <required>false</required>
+            <rtexprvalue>false</rtexprvalue>
         </attribute>
         <attribute>
+            <description>
+                Set HTML escaping for this tag, as a boolean value.
+            </description>
             <name>htmlEscape</name>
             <required>false</required>
             <rtexprvalue>true</rtexprvalue>
-            <description>Set HTML escaping for this tag, as a boolean value.</description>
         </attribute>
         <attribute>
-            <name>scope</name>
-            <required>false</required>
-            <rtexprvalue>false</rtexprvalue>
             <description>
                 Scope for var.
             </description>
+            <name>scope</name>
+            <required>false</required>
+            <rtexprvalue>false</rtexprvalue>
         </attribute>
     </tag>
 
     <tag>
-        <name>accesscontrollist</name>
-        <tag-class>org.springframework.security.taglibs.authz.AccessControlListTag</tag-class>
         <description>
             Allows inclusion of a tag body if the current Authentication
             has one of the specified permissions to the presented
             domain object instance.
         </description>
+        <name>accesscontrollist</name>
+        <tag-class>org.springframework.security.taglibs.authz.AccessControlListTag</tag-class>
+        <body-content>JSP</body-content>
 
         <attribute>
-            <name>hasPermission</name>
-            <required>true</required>
-            <rtexprvalue>true</rtexprvalue>
             <description>
                 A comma separated list of permissions, which will be converted to
                 Permission instances by the configured PermissionFactory.
             </description>
-        </attribute>
-        <attribute>
-            <name>domainObject</name>
+            <name>hasPermission</name>
             <required>true</required>
             <rtexprvalue>true</rtexprvalue>
+        </attribute>
+        <attribute>
             <description>
                 The actual domain object instance for which permissions
                 are being evaluated.
             </description>
+            <name>domainObject</name>
+            <required>true</required>
+            <rtexprvalue>true</rtexprvalue>
         </attribute>
         <attribute>
-            <name>var</name>
-            <required>false</required>
-            <rtexprvalue>false</rtexprvalue>
             <description>
                 A page scoped variable into which the boolean result of the tag evaluation will be written, allowing the
                 same condition to be reused subsequently in the page without re-evaluation.
             </description>
+            <name>var</name>
+            <required>false</required>
+            <rtexprvalue>false</rtexprvalue>
         </attribute>
     </tag>