Java Reference
In-Depth Information
@RolesAllowed({
"Administrator",
"User if ${user eq message.folder.user}"
})
public class
MessageDetailsActionBean
extends
BaseActionBean {
public void
setMessage(Message message) {
this
.message = message;
}
}
Administrators are granted access no matter what, and users can get
access only if the message belongs to them. How cool is that?
Hiding Restricted Content in JSPs
We're now controlling access to action beans according to roles. For the
User List page, it seems unfair to show the link in the menu to nonad-
ministrator users, only to show them an “Access is denied” message if
they click the link.
Stripes-Security also includes a tag library so that you can show or hide
content in JSPs according to the user's authorization. We'll declare the
tag library in
taglibs.jsp
:
<%@taglib prefix="security"
uri="http://www.stripes-stuff.org/security.tld"%>
The library includes two tags. The <security:allowed> tag renders its
body if the user is allowed to use the default event of the current action
bean. We can also use a different action bean by indicating its ID in
the
bean=
attribute and can use a different event with its name in the
event=
attribute:
<security:allowed>
<!--this appears only if the user is authorized access to the
default event handler of the current action bean-->
</security:allowed>
<s:useActionBean id="beanId" beanclass="..."/>
<security:allowed bean="beanId">
<!--same as above, but use the action bean who's ID is "beanId"-->
</security:allowed>
<security:allowed event="someEvent">
<!--use "someEvent" event handler of the current action bean-->
</security:allowed>
Search WWH ::
Custom Search