Module org.omnifaces
Package org.omnifaces.security

Class AuthenticatedTagHandler

java.lang.Object
jakarta.faces.view.facelets.TagHandler
org.omnifaces.security.AuthenticatedTagHandler
All Implemented Interfaces:
FaceletHandler
public class AuthenticatedTagHandler extends TagHandler

The <sec:isAuthenticated> tag conditionally renders its content only when the user is authenticated (logged in). This is useful for displaying user-specific content, logout buttons, or other features that should only be available to authenticated users.

Usage

To use the security taglib, declare the omnifaces.security namespace in your Facelets view: 

 <html xmlns:sec="omnifaces.security">

The <sec:isAuthenticated> tag has no attributes. Simply wrap the content you want to show only to authenticated users.

Example: Welcome message for authenticated users

Display a personalized welcome message only when the user is authenticated: 

 <sec:isAuthenticated>
     <h:outputText value="Welcome back, #{request.remoteUser}!" />
 </sec:isAuthenticated>

Example: Logout button for authenticated users

Show a logout button only when the user is authenticated: 

 <sec:isAuthenticated>
     <h:form>
         <h:commandButton value="Logout" action="#{loginBean.logout}" />
     </h:form>
 </sec:isAuthenticated>

Example: User-specific navigation

Display navigation links that are only available to authenticated users: 

 <sec:isAuthenticated>
     <ul>
         <li><h:link value="My Profile" outcome="/profile" /></li>
         <li><h:link value="Settings" outcome="/settings" /></li>
         <li><h:link value="My Orders" outcome="/orders" /></li>
     </ul>
 </sec:isAuthenticated>

Example: Combined with isAnonymous

Use together with <sec:isAnonymous> to show different navigation based on authentication status: 

 <sec:isAnonymous>
     <h:link value="Login" outcome="/login" />
     <h:link value="Register" outcome="/register" />
 </sec:isAnonymous>

 <sec:isAuthenticated>
     <h:link value="Profile" outcome="/profile" />
     <h:form>
         <h:commandLink value="Logout" action="#{loginBean.logout}" />
     </h:form>
 </sec:isAuthenticated>

Example: Combined with authorize

Use together with <sec:authorize> to combine authentication and role-based authorization: 

 <sec:isAuthenticated>
     <h:link value="Dashboard" outcome="/dashboard" />

     <sec:authorize role="ADMIN">
         <h:link value="Admin Panel" outcome="/admin" />
     </sec:authorize>
 </sec:isAuthenticated>

Implementation details

This tag checks if SecurityContext.getCallerPrincipal() returns a non-null value. If the principal is not null, the user is considered authenticated and the content will be rendered.

Configuration

This tag requires SecurityContext from jakarta.security.enterprise to be available. If the security context is not available, a warning will be logged and no content will be rendered. Make sure your application has Jakarta Security properly configured.

Since:
5.0
Author:
Leonardo Bernardes (@redddcyclone), Bauke Scholtz
See Also:

  • Constructor Details

    • AuthenticatedTagHandler

      public AuthenticatedTagHandler(TagConfig config)
      Constructor for the TagHandler
      Parameters:
      config - TagConfig

  • Method Details

    • apply

      public void apply(FaceletContext context, UIComponent parent) throws IOException
      Throws:
      IOException

    • getSecurityContext

      protected Optional<SecurityContext> getSecurityContext()
      Retrieves the current SecurityContext from CDI. If the SecurityContext is not available, logs a warning and returns empty Optional.
      Returns:
      Optional containing the SecurityContext, or empty if not available