How to make a link visible only if an authenticated user has correspondent permissions?
I'm using JSF, and as I understand, I should use rendered attribute of a component which should call backing bean's boolean method.
I've even found correspondent code some time ago but now I can't find it again. So, can anyone give me an example of such boolean method which works with spring security? (or, even better, link to some article which describes this issue).
The rendered attribute (and disabled and readonly) does not necessarily expect a getter method which returns boolean like this:
public boolean getBooleanValue() {
return this.booleanValue;
}
Those attributes just expect a boolean expression, which can be any of the following examples:
<h:someComponent rendered="#{myBean.booleanValue}" />
<h:someComponent rendered="#{myBean.intValue > 10}" />
<h:someComponent rendered="#{myBean.objectValue == null}" />
<h:someComponent rendered="#{myBean.stringValue != 'someValue'}" />
<h:someComponent rendered="#{!empty myBean.collectionValue}" />
<h:someComponent rendered="#{!myBean.booleanValue && myBean.intValue != 0}" />
<h:someComponent rendered="#{myBean.stringValue == 'oneValue' || myBean.stringValue == 'anotherValue'}" />
The is prefix is by the way also allowed for boolean getters:
public boolean isBooleanValue() {
return this.booleanValue;
}
You can wrap whatever API the Spring Security is using in the getter and make use of it in a boolean EL expression in one of the aforementioned ways.
you could use the acegi-jsf components : http://cagataycivici.wordpress.com/2006/01/19/acegi%5Fjsf%5Fcomponents%5Fhit%5Fthe/
basically you should access the principal check its authority ...
We use the SecurityContextHolder to access the currently logged in user. We then use the users getAuthorities() method to get her roles, resulting in (roughly) the following:
((UserDetails)SecurityContextHolder.getPrincipal()).getAuthorities();