From 9f9699f8a551f745ce27bcbe86831c0f6b48b98e Mon Sep 17 00:00:00 2001 From: onhann Date: Fri, 23 Jan 2026 22:00:57 +0900 Subject: [PATCH 1/2] Clarify need for method attribute in JSP authorize tag Closes gh-16530 This aligns the JSP documentation with the changes made in gh-16529. Added a NOTE to clarify that the method attribute is required when the underlying RequestMatcher is method-specific. Signed-off-by: onhann --- .../ROOT/pages/servlet/integrations/jsp-taglibs.adoc | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/docs/modules/ROOT/pages/servlet/integrations/jsp-taglibs.adoc b/docs/modules/ROOT/pages/servlet/integrations/jsp-taglibs.adoc index e5c8aed6c5..5d6c485bd8 100644 --- a/docs/modules/ROOT/pages/servlet/integrations/jsp-taglibs.adoc +++ b/docs/modules/ROOT/pages/servlet/integrations/jsp-taglibs.adoc @@ -65,6 +65,18 @@ This is an instance of `DefaultWebInvocationPrivilegeEvaluator`, which creates a This lets you delegate to the access-control setup you defined by using `intercept-url` declarations within the `` namespace configuration and saves having to duplicate the information (such as the required roles) within your JSPs. You can also combine this approach with a `method` attribute (supplying the HTTP method, such as `POST`) for a more specific match. +[NOTE] +==== +If the underlying authorization configuration uses a `RequestMatcher` that is constrained to an HTTP method +(for example, an `AntPathRequestMatcher` or `MvcRequestMatcher` configured with a method), +specify the same `method` on the `` tag so that it can be evaluated against the intended rule. + +When access rules are method-specific, omitting `method` may cause the tag to be evaluated without an HTTP method, +which can lead to unexpected results. + +For example, if access is configured for `POST /admin`, then use ``. +==== + You can store the Boolean result of evaluating the tag (whether it grants or denies access) in a page context scope variable by setting the `var` attribute to the variable name, avoiding the need for duplicating and re-evaluating the condition at other points in the page. From 4d43edfb20152e755e8dca4c1eabf19ad0e7e535 Mon Sep 17 00:00:00 2001 From: Josh Cummings <3627351+jzheaux@users.noreply.github.com> Date: Tue, 24 Feb 2026 14:19:51 -0700 Subject: [PATCH 2/2] Polish Documentation - Combined explanation of method attribute with usage recommendations - Used one sentence per line format Issue gh-16530 Signed-off-by: Josh Cummings <3627351+jzheaux@users.noreply.github.com> --- .../pages/servlet/integrations/jsp-taglibs.adoc | 14 ++------------ 1 file changed, 2 insertions(+), 12 deletions(-) diff --git a/docs/modules/ROOT/pages/servlet/integrations/jsp-taglibs.adoc b/docs/modules/ROOT/pages/servlet/integrations/jsp-taglibs.adoc index 5d6c485bd8..b1b814e98b 100644 --- a/docs/modules/ROOT/pages/servlet/integrations/jsp-taglibs.adoc +++ b/docs/modules/ROOT/pages/servlet/integrations/jsp-taglibs.adoc @@ -63,19 +63,9 @@ To use this tag, you must also have an instance of `WebInvocationPrivilegeEvalua If you are using the namespace, one is automatically registered. This is an instance of `DefaultWebInvocationPrivilegeEvaluator`, which creates a dummy web request for the supplied URL and invokes the security interceptor to see whether the request would succeed or fail. This lets you delegate to the access-control setup you defined by using `intercept-url` declarations within the `` namespace configuration and saves having to duplicate the information (such as the required roles) within your JSPs. -You can also combine this approach with a `method` attribute (supplying the HTTP method, such as `POST`) for a more specific match. -[NOTE] -==== -If the underlying authorization configuration uses a `RequestMatcher` that is constrained to an HTTP method -(for example, an `AntPathRequestMatcher` or `MvcRequestMatcher` configured with a method), -specify the same `method` on the `` tag so that it can be evaluated against the intended rule. - -When access rules are method-specific, omitting `method` may cause the tag to be evaluated without an HTTP method, -which can lead to unexpected results. - -For example, if access is configured for `POST /admin`, then use ``. -==== +If you have xref:servlet/authorization/authorize-http-requests.adoc#match-by-httpmethod[method-based authorization rules], you should combine this approach with the `method` attribute (supplying the HTTP method, such as `POST`) to activate the intended method-based rule. +For example, if you have a rule `.requestMatchers(POST, "/admin").hasRole("ADMIN")`, then you should do `` to match. You can store the Boolean result of evaluating the tag (whether it grants or denies access) in a page context scope variable by setting the `var` attribute to the variable name, avoiding the need for duplicating and re-evaluating the condition at other points in the page.