Module org.omnifaces

Package org.omnifaces.security

Class AuthorizeTagHandler

java.lang.Object

jakarta.faces.view.facelets.TagHandler

org.omnifaces.security.AuthorizeTagHandler

All Implemented Interfaces:

FaceletHandler

public class AuthorizeTagHandler
extends TagHandler

The <sec:authorize> tag conditionally renders its content based on role-based access control using SecurityContext. It provides three mutually exclusive ways to check user roles: single role check, any-of-roles check, or all-of-roles check.

Usage

To use the security taglib, declare the omnifaces.security namespace in your Facelets view:

 <html xmlns:sec="omnifaces.security">
 

The <sec:authorize> tag requires exactly one of the following attributes: role, anyRole, or allRoles.

Single role check

Use the role attribute to check if the user has a specific role. The content will only be rendered if the user has the specified role.

 <sec:authorize role="ADMIN">
     <h:link value="Admin Panel" outcome="/admin" />
 </sec:authorize>
 

Any-of-roles check

Use the anyRole attribute with comma-separated role names to check if the user has at least one of the specified roles. The content will be rendered if the user has any of the roles.

 <sec:authorize anyRole="ADMIN, MODERATOR, EDITOR">
     <h:link value="Content Management" outcome="/cms" />
 </sec:authorize>
 

All-of-roles check

Use the allRoles attribute with comma-separated role names to check if the user has all of the specified roles. The content will only be rendered if the user has all of the roles.

 <sec:authorize allRoles="ADMIN, AUDITOR">
     <h:link value="Audit Logs" outcome="/audit" />
 </sec:authorize>
 

Exposing authorization result

The optional var attribute exposes the boolean authorization result as a view-scoped variable. This is useful when you need to use the authorization result in multiple places without repeating the role check.

 <sec:authorize role="ADMIN" var="isAdmin" />

 <h:panelGroup rendered="#{isAdmin}">
     <h:link value="Admin Panel" outcome="/admin" />
 </h:panelGroup>

 <h:outputText value="Welcome, Administrator!" rendered="#{isAdmin}" />
 

The variable is always set regardless of whether the content inside the tag is rendered or not.

Configuration

This tag requires SecurityContext from jakarta.security.enterprise to be available. If the security context is not available, a warning will be logged and no content will be rendered. Make sure your application has Jakarta Security properly configured.

Since:

5.0

Author:

Leonardo Bernardes (@redddcyclone), Bauke Scholtz

See Also:

• BaseSecurityTagHandler
• AnonymousTagHandler
• AuthenticatedTagHandler

Field Summary

Fields inherited from class jakarta.faces.view.facelets.TagHandler

nextHandler, tag, tagId

Constructor Summary

Constructors

Constructor	Description
AuthorizeTagHandler(TagConfig config)	Constructor for the TagHandler

Method Summary

Modifier and Type	Method	Description
void	apply(FaceletContext context, UIComponent parent)
protected Optional<SecurityContext>	getSecurityContext()	Retrieves the current SecurityContext from CDI.

Methods inherited from class jakarta.faces.view.facelets.TagHandler

getAttribute, getRequiredAttribute, toString

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Constructor Details

AuthorizeTagHandler

public AuthorizeTagHandler(TagConfig config)

Constructor for the TagHandler

Parameters:

config - TagConfig

Method Details

apply

public void apply(FaceletContext context,
 UIComponent parent)
           throws IOException

Throws:

IOException

getSecurityContext

protected Optional<SecurityContext> getSecurityContext()

Retrieves the current SecurityContext from CDI. If the SecurityContext is not available, logs a warning and returns empty Optional.

Returns:

Optional containing the SecurityContext, or empty if not available