Package org.springframework.security.taglibs.authz

Class AbstractAuthorizeTag

java.lang.Object
org.springframework.security.taglibs.authz.AbstractAuthorizeTag
Direct Known Subclasses:
JspAuthorizeTag
public abstract class AbstractAuthorizeTag extends Object
A base class for an <authorize> tag that is independent of the tag rendering technology (JSP, Facelets). It treats tag attributes as simple strings rather than strings that may contain expressions with the exception of the "access" attribute, which is always expected to contain a Spring EL expression.

Subclasses are expected to extract tag attribute values from the specific rendering technology, evaluate them as expressions if necessary, and set the String-based attributes of this class.

Since:
3.1.0

  • Constructor Details

    • AbstractAuthorizeTag

      public AbstractAuthorizeTag()

  • Method Details

    • getRequest

      protected abstract jakarta.servlet.ServletRequest getRequest()
      This method allows subclasses to provide a way to access the ServletRequest according to the rendering technology.

    • getResponse

      protected abstract jakarta.servlet.ServletResponse getResponse()
      This method allows subclasses to provide a way to access the ServletResponse according to the rendering technology.

    • getServletContext

      protected abstract jakarta.servlet.ServletContext getServletContext()
      This method allows subclasses to provide a way to access the ServletContext according to the rendering technology.

    • authorize

      public boolean authorize() throws IOException
      Make an authorization decision by considering all <authorize> tag attributes. The following are valid combinations of attributes:
      • access
      • url, method
      The above combinations are mutually exclusive and evaluated in the given order.
      Returns:
      the result of the authorization decision
      Throws:
      IOException

    • authorizeUsingAccessExpression

      public boolean authorizeUsingAccessExpression() throws IOException
      Make an authorization decision based on a Spring EL expression. See the "Expression-Based Access Control" chapter in Spring Security for details on what expressions can be used.
      Returns:
      the result of the authorization decision
      Throws:
      IOException

    • createExpressionEvaluationContext

      protected org.springframework.expression.EvaluationContext createExpressionEvaluationContext(SecurityExpressionHandler<FilterInvocation> handler)
      Allows the EvaluationContext to be customized for variable lookup etc.

    • authorizeUsingUrlCheck

      public boolean authorizeUsingUrlCheck() throws IOException
      Make an authorization decision based on the URL and HTTP method attributes. True is returned if the user is allowed to access the given URL as defined.
      Returns:
      the result of the authorization decision
      Throws:
      IOException

    • getAccess

      public String getAccess()

    • setAccess

      public void setAccess(String access)

    • getUrl

      public String getUrl()

    • setUrl

      public void setUrl(String url)

    • getMethod

      public String getMethod()

    • setMethod

      public void setMethod(String method)