sec (OmniFaces 5.2 VDL Documentation)

XML Declaration Syntax:

<anyxmlelement xmlns:sec="omnifaces.security"/>

Description:

OmniFaces Security tag library for jakarta.security.enterprise.SecurityContext authentication and authorization.

Tag Library Information
Info	Value
ID (tag prefix)	`sec`
URI	`omnifaces.security`

Tag Summary
Tag	Description
authorize	The `<sec:authorize>` tag conditionally renders its content based on role-based access control using `SecurityContext`. It provides three mutually exclusive ways to check user roles: single role check, any-of-roles check, or all-of-roles check. Usage To use the security taglib, declare the `omnifaces.security` namespace in your Facelets view: <html xmlns:sec="omnifaces.security"> The `<sec:authorize>` tag requires exactly one of the following attributes: `role`, `anyRole`, or `allRoles`. Single role check Use the `role` attribute to check if the user has a specific role. The content will only be rendered if the user has the specified role. <sec:authorize role="ADMIN"> <h:link value="Admin Panel" outcome="/admin" /> </sec:authorize> Any-of-roles check Use the `anyRole` attribute with comma-separated role names to check if the user has at least one of the specified roles. The content will be rendered if the user has any of the roles. <sec:authorize anyRole="ADMIN, MODERATOR, EDITOR"> <h:link value="Content Management" outcome="/cms" /> </sec:authorize> All-of-roles check Use the `allRoles` attribute with comma-separated role names to check if the user has all of the specified roles. The content will only be rendered if the user has all of the roles. <sec:authorize allRoles="ADMIN, AUDITOR"> <h:link value="Audit Logs" outcome="/audit" /> </sec:authorize> Exposing authorization result The optional `var` attribute exposes the boolean authorization result as a view-scoped variable. This is useful when you need to use the authorization result in multiple places without repeating the role check. <sec:authorize role="ADMIN" var="isAdmin" /> <h:panelGroup rendered="#{isAdmin}"> <h:link value="Admin Panel" outcome="/admin" /> </h:panelGroup> <h:outputText value="Welcome, Administrator!" rendered="#{isAdmin}" /> The variable is always set regardless of whether the content inside the tag is rendered or not. Configuration This tag requires `SecurityContext` from `jakarta.security.enterprise` to be available. If the security context is not available, a warning will be logged and no content will be rendered. Make sure your application has Jakarta Security properly configured.
isAnonymous	The `<sec:isAnonymous>` tag conditionally renders its content only when the user is anonymous (not authenticated). This is useful for displaying login forms, welcome messages for guests, or other content that should only be visible to non-authenticated users. Usage To use the security taglib, declare the `omnifaces.security` namespace in your Facelets view: <html xmlns:sec="omnifaces.security"> The `<sec:isAnonymous>` tag has no attributes. Simply wrap the content you want to show only to anonymous users. Example: Login form for anonymous users Display a login link only when the user is not authenticated: <sec:isAnonymous> <h:link value="Login" outcome="/login" /> </sec:isAnonymous> Example: Welcome message for guests Show a different welcome message for anonymous users: <sec:isAnonymous> <h:outputText value="Welcome, Guest! Please login to access all features." /> </sec:isAnonymous> Example: Combined with isAuthenticated Use together with `<sec:isAuthenticated>` to show different content based on authentication status: <sec:isAnonymous> <h:form> <h:outputLabel for="username" value="Username:" /> <h:inputText id="username" value="#{loginBean.username}" /> <h:commandButton value="Login" action="#{loginBean.login}" /> </h:form> </sec:isAnonymous> <sec:isAuthenticated> <h:outputText value="Welcome back, #{request.remoteUser}!" /> </sec:isAuthenticated> Implementation details This tag checks if `SecurityContext#getCallerPrincipal()` returns `null`. If the principal is `null`, the user is considered anonymous and the content will be rendered. Configuration This tag requires `SecurityContext` from `jakarta.security.enterprise` to be available. If the security context is not available, a warning will be logged and no content will be rendered. Make sure your application has Jakarta Security properly configured.
isAuthenticated	The `<sec:isAuthenticated>` tag conditionally renders its content only when the user is authenticated (logged in). This is useful for displaying user-specific content, logout buttons, or other features that should only be available to authenticated users. Usage To use the security taglib, declare the `omnifaces.security` namespace in your Facelets view: <html xmlns:sec="omnifaces.security"> The `<sec:isAuthenticated>` tag has no attributes. Simply wrap the content you want to show only to authenticated users. Example: Welcome message for authenticated users Display a personalized welcome message only when the user is authenticated: <sec:isAuthenticated> <h:outputText value="Welcome back, #{request.remoteUser}!" /> </sec:isAuthenticated> Example: Logout button for authenticated users Show a logout button only when the user is authenticated: <sec:isAuthenticated> <h:form> <h:commandButton value="Logout" action="#{loginBean.logout}" /> </h:form> </sec:isAuthenticated> Example: User-specific navigation Display navigation links that are only available to authenticated users: <sec:isAuthenticated> <ul> <li><h:link value="My Profile" outcome="/profile" /></li> <li><h:link value="Settings" outcome="/settings" /></li> <li><h:link value="My Orders" outcome="/orders" /></li> </ul> </sec:isAuthenticated> Example: Combined with isAnonymous Use together with `<sec:isAnonymous>` to show different navigation based on authentication status: <sec:isAnonymous> <h:link value="Login" outcome="/login" /> <h:link value="Register" outcome="/register" /> </sec:isAnonymous> <sec:isAuthenticated> <h:link value="Profile" outcome="/profile" /> <h:form> <h:commandLink value="Logout" action="#{loginBean.logout}" /> </h:form> </sec:isAuthenticated> Example: Combined with authorize Use together with `<sec:authorize>` to combine authentication and role-based authorization: <sec:isAuthenticated> <h:link value="Dashboard" outcome="/dashboard" /> <sec:authorize role="ADMIN"> <h:link value="Admin Panel" outcome="/admin" /> </sec:authorize> </sec:isAuthenticated> Implementation details This tag checks if `SecurityContext#getCallerPrincipal()` returns a non-`null` value. If the principal is not `null`, the user is considered authenticated and the content will be rendered. Configuration This tag requires `SecurityContext` from `jakarta.security.enterprise` to be available. If the security context is not available, a warning will be logged and no content will be rendered. Make sure your application has Jakarta Security properly configured.