diff --git a/taglibs/src/main/java/org/springframework/security/taglibs/authz/AbstractAuthorizeTag.java b/taglibs/src/main/java/org/springframework/security/taglibs/authz/AbstractAuthorizeTag.java
new file mode 100644
index 0000000000..d85a351a5b
--- /dev/null
+++ b/taglibs/src/main/java/org/springframework/security/taglibs/authz/AbstractAuthorizeTag.java
@@ -0,0 +1,336 @@
+/*
+ * Copyright 2004-2010 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.taglibs.authz;
+
+import java.io.IOException;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.Map;
+import java.util.Set;
+
+import javax.servlet.FilterChain;
+import javax.servlet.ServletContext;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+
+import org.springframework.context.ApplicationContext;
+import org.springframework.core.GenericTypeResolver;
+import org.springframework.expression.Expression;
+import org.springframework.expression.ParseException;
+import org.springframework.security.access.expression.ExpressionUtils;
+import org.springframework.security.access.expression.SecurityExpressionHandler;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.authority.AuthorityUtils;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.web.FilterInvocation;
+import org.springframework.security.web.access.WebInvocationPrivilegeEvaluator;
+import org.springframework.util.StringUtils;
+import org.springframework.web.context.support.WebApplicationContextUtils;
+
+/**
+ * A base class for an <authorize> tag that is independent of the tag rendering technology (JSP, Facelets).
+ * It treats tag attributes as simple strings rather than strings that may contain expressions with the
+ * exception of the "access" attribute, which is always expected to contain a Spring EL expression.
+ *
+ * Subclasses are expected to extract tag attribute values from the specific rendering technology, evaluate
+ * them as expressions if necessary, and set the String-based attributes of this class.
+ *
+ * @author Francois Beausoleil
+ * @author Luke Taylor
+ * @author Rossen Stoyanchev
+ *
+ * @since 3.1.0
+ */
+public abstract class AbstractAuthorizeTag {
+
+ private String access;
+ private String url;
+ private String method;
+ private String ifAllGranted;
+ private String ifAnyGranted;
+ private String ifNotGranted;
+
+ /**
+ * This method allows subclasses to provide a way to access the ServletRequest according to the rendering
+ * technology.
+ */
+ protected abstract ServletRequest getRequest();
+
+ /**
+ * This method allows subclasses to provide a way to access the ServletResponse according to the rendering
+ * technology.
+ */
+ protected abstract ServletResponse getResponse();
+
+ /**
+ * This method allows subclasses to provide a way to access the ServletContext according to the rendering
+ * technology.
+ */
+ protected abstract ServletContext getServletContext();
+
+ /**
+ * Make an authorization decision by considering all <authorize> tag attributes. The following are valid
+ * combinations of attributes:
+ *
+ * - access
+ * - url, method
+ * - ifAllGranted, ifAnyGranted, ifNotGranted
+ *
+ * The above combinations are mutually exclusive and evaluated in the given order.
+ *
+ * @return the result of the authorization decision
+ *
+ * @throws IOException
+ */
+ public boolean authorize() throws IOException {
+ boolean isAuthorized = false;
+
+ if (StringUtils.hasText(getAccess())) {
+ isAuthorized = authorizeUsingAccessExpression();
+
+ } else if (StringUtils.hasText(getUrl())) {
+ isAuthorized = authorizeUsingUrlCheck();
+
+ } else {
+ isAuthorized = authorizeUsingGrantedAuthorities();
+
+ }
+
+ return isAuthorized;
+ }
+
+ /**
+ * Make an authorization decision by considering ifAllGranted, ifAnyGranted, and ifNotGranted. All 3 or any
+ * combination can be provided. All provided attributes must evaluate to true.
+ *
+ * @return the result of the authorization decision
+ */
+ public boolean authorizeUsingGrantedAuthorities() {
+ boolean hasTextAllGranted = StringUtils.hasText(getIfAllGranted());
+ boolean hasTextAnyGranted = StringUtils.hasText(getIfAnyGranted());
+ boolean hasTextNotGranted = StringUtils.hasText(getIfNotGranted());
+
+ if ((!hasTextAllGranted) && (!hasTextAnyGranted) && (!hasTextNotGranted)) {
+ return false;
+ }
+
+ final Collection granted = getPrincipalAuthorities();
+
+ if (hasTextAllGranted) {
+ if (!granted.containsAll(toAuthorities(getIfAllGranted()))) {
+ return false;
+ }
+ }
+
+ if (hasTextAnyGranted) {
+ Set grantedCopy = retainAll(granted, toAuthorities(getIfAnyGranted()));
+ if (grantedCopy.isEmpty()) {
+ return false;
+ }
+ }
+
+ if (hasTextNotGranted) {
+ Set grantedCopy = retainAll(granted, toAuthorities(getIfNotGranted()));
+ if (!grantedCopy.isEmpty()) {
+ return false;
+ }
+ }
+
+ return true;
+ }
+
+ /**
+ * Make an authorization decision based on a Spring EL expression. See the "Expression-Based Access Control" chapter
+ * in Spring Security for details on what expressions can be used.
+ *
+ * @return the result of the authorization decision
+ *
+ * @throws IOException
+ */
+ public boolean authorizeUsingAccessExpression() throws IOException {
+ Authentication currentUser = SecurityContextHolder.getContext().getAuthentication();
+ if (currentUser == null) {
+ return false;
+ }
+
+ SecurityExpressionHandler handler = getExpressionHandler();
+
+ Expression accessExpression;
+ try {
+ accessExpression = handler.getExpressionParser().parseExpression(getAccess());
+
+ } catch (ParseException e) {
+ IOException ioException = new IOException();
+ ioException.initCause(e);
+ throw ioException;
+ }
+
+ FilterInvocation f = new FilterInvocation(getRequest(), getResponse(), new FilterChain() {
+ public void doFilter(ServletRequest request, ServletResponse response) throws IOException, ServletException {
+ throw new UnsupportedOperationException();
+ }
+ });
+
+ return ExpressionUtils.evaluateAsBoolean(accessExpression, handler.createEvaluationContext(currentUser, f));
+ }
+
+ /**
+ * Make an authorization decision based on the URL and HTTP method attributes. True is returned if the user is
+ * allowed to access the given URL as defined.
+ *
+ * @return the result of the authorization decision
+ *
+ * @throws IOException
+ */
+ public boolean authorizeUsingUrlCheck() throws IOException {
+ String contextPath = ((HttpServletRequest) getRequest()).getContextPath();
+ Authentication currentUser = SecurityContextHolder.getContext().getAuthentication();
+ return getPrivilegeEvaluator().isAllowed(contextPath, getUrl(), getMethod(), currentUser);
+ }
+
+ public String getAccess() {
+ return access;
+ }
+
+ public void setAccess(String access) {
+ this.access = access;
+ }
+
+ public String getUrl() {
+ return url;
+ }
+
+ public void setUrl(String url) {
+ this.url = url;
+ }
+
+ public String getMethod() {
+ return method;
+ }
+
+ public void setMethod(String method) {
+ this.method = (method != null) ? method.toUpperCase() : null;
+ }
+
+ public String getIfAllGranted() {
+ return ifAllGranted;
+ }
+
+ public void setIfAllGranted(String ifAllGranted) {
+ this.ifAllGranted = ifAllGranted;
+ }
+
+ public String getIfAnyGranted() {
+ return ifAnyGranted;
+ }
+
+ public void setIfAnyGranted(String ifAnyGranted) {
+ this.ifAnyGranted = ifAnyGranted;
+ }
+
+ public String getIfNotGranted() {
+ return ifNotGranted;
+ }
+
+ public void setIfNotGranted(String ifNotGranted) {
+ this.ifNotGranted = ifNotGranted;
+ }
+
+ /*------------- Private helper methods -----------------*/
+
+ private Collection getPrincipalAuthorities() {
+ Authentication currentUser = SecurityContextHolder.getContext().getAuthentication();
+ if (null == currentUser) {
+ return Collections.emptyList();
+ }
+ return currentUser.getAuthorities();
+ }
+
+ private Set toAuthorities(String authorizations) {
+ final Set requiredAuthorities = new HashSet();
+ requiredAuthorities.addAll(AuthorityUtils.commaSeparatedStringToAuthorityList(authorizations));
+ return requiredAuthorities;
+ }
+
+ private Set retainAll(final Collection granted,
+ final Set required) {
+ Set grantedRoles = authoritiesToRoles(granted);
+ Set requiredRoles = authoritiesToRoles(required);
+ grantedRoles.retainAll(requiredRoles);
+
+ return rolesToAuthorities(grantedRoles, granted);
+ }
+
+ private Set authoritiesToRoles(Collection c) {
+ Set target = new HashSet();
+ for (GrantedAuthority authority : c) {
+ if (null == authority.getAuthority()) {
+ throw new IllegalArgumentException(
+ "Cannot process GrantedAuthority objects which return null from getAuthority() - attempting to process "
+ + authority.toString());
+ }
+ target.add(authority.getAuthority());
+ }
+ return target;
+ }
+
+ private Set rolesToAuthorities(Set grantedRoles, Collection granted) {
+ Set target = new HashSet();
+ for (String role : grantedRoles) {
+ for (GrantedAuthority authority : granted) {
+ if (authority.getAuthority().equals(role)) {
+ target.add(authority);
+ break;
+ }
+ }
+ }
+ return target;
+ }
+
+ private SecurityExpressionHandler getExpressionHandler() throws IOException {
+ ApplicationContext appContext = WebApplicationContextUtils
+ .getRequiredWebApplicationContext(getServletContext());
+ Map handlers = appContext
+ .getBeansOfType(SecurityExpressionHandler.class);
+
+ for (SecurityExpressionHandler h : handlers.values()) {
+ if (FilterInvocation.class.equals(GenericTypeResolver.resolveTypeArgument(h.getClass(),
+ SecurityExpressionHandler.class))) {
+ return h;
+ }
+ }
+
+ throw new IOException("No visible WebSecurityExpressionHandler instance could be found in the application "
+ + "context. There must be at least one in order to support expressions in JSP 'authorize' tags.");
+ }
+
+ private WebInvocationPrivilegeEvaluator getPrivilegeEvaluator() throws IOException {
+ ApplicationContext ctx = WebApplicationContextUtils.getRequiredWebApplicationContext(getServletContext());
+ Map wipes = ctx.getBeansOfType(WebInvocationPrivilegeEvaluator.class);
+
+ if (wipes.size() == 0) {
+ throw new IOException(
+ "No visible WebInvocationPrivilegeEvaluator instance could be found in the application "
+ + "context. There must be at least one in order to support the use of URL access checks in 'authorize' tags.");
+ }
+
+ return (WebInvocationPrivilegeEvaluator) wipes.values().toArray()[0];
+ }
+}
diff --git a/taglibs/src/main/java/org/springframework/security/taglibs/authz/AuthorizeTag.java b/taglibs/src/main/java/org/springframework/security/taglibs/authz/AuthorizeTag.java
deleted file mode 100644
index d9afe4b6ae..0000000000
--- a/taglibs/src/main/java/org/springframework/security/taglibs/authz/AuthorizeTag.java
+++ /dev/null
@@ -1,141 +0,0 @@
-package org.springframework.security.taglibs.authz;
-
-import java.io.IOException;
-import java.util.*;
-import javax.servlet.FilterChain;
-import javax.servlet.ServletContext;
-import javax.servlet.ServletException;
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.jsp.JspException;
-import javax.servlet.jsp.PageContext;
-
-import org.springframework.context.ApplicationContext;
-import org.springframework.core.GenericTypeResolver;
-import org.springframework.expression.Expression;
-import org.springframework.expression.ParseException;
-import org.springframework.security.access.expression.ExpressionUtils;
-import org.springframework.security.access.expression.SecurityExpressionHandler;
-import org.springframework.security.core.Authentication;
-import org.springframework.security.core.context.SecurityContextHolder;
-import org.springframework.security.web.FilterInvocation;
-import org.springframework.security.web.access.WebInvocationPrivilegeEvaluator;
-import org.springframework.web.context.support.WebApplicationContextUtils;
-
-/**
- * Access control tag which evaluates its body based either on
- *
- * - an access expression (the "access" attribute), or
- * - by evaluating the current user's right to access a particular URL (set using the "url" attribute).
- *
- * @author Luke Taylor
- * @since 3.0
- */
-public class AuthorizeTag extends LegacyAuthorizeTag {
- private String access;
- private String url;
- private String method;
- private String var;
-
- // If access expression evaluates to "true" return
- public int doStartTag() throws JspException {
- Authentication currentUser = SecurityContextHolder.getContext().getAuthentication();
-
- if (currentUser == null) {
- return SKIP_BODY;
- }
-
- int result;
-
- if (access != null && access.length() > 0) {
- result = authorizeUsingAccessExpression(currentUser);
- } else if (url != null && url.length() > 0) {
- result = authorizeUsingUrlCheck(currentUser);
- } else {
- result = super.doStartTag();
- }
-
- if (var != null) {
- pageContext.setAttribute(var, Boolean.valueOf(result == EVAL_BODY_INCLUDE), PageContext.PAGE_SCOPE);
- }
-
- return result;
- }
-
- private int authorizeUsingAccessExpression(Authentication currentUser) throws JspException {
- SecurityExpressionHandler handler = getExpressionHandler();
-
- Expression accessExpression;
- try {
- accessExpression = handler.getExpressionParser().parseExpression(access);
-
- } catch (ParseException e) {
- throw new JspException(e);
- }
-
- FilterInvocation f = new FilterInvocation(pageContext.getRequest(), pageContext.getResponse(), DUMMY_CHAIN);
-
- if (ExpressionUtils.evaluateAsBoolean(accessExpression, handler.createEvaluationContext(currentUser, f))) {
- return EVAL_BODY_INCLUDE;
- }
-
- return SKIP_BODY;
- }
-
- private int authorizeUsingUrlCheck(Authentication currentUser) throws JspException {
- return getPrivilegeEvaluator().isAllowed(((HttpServletRequest)pageContext.getRequest()).getContextPath(),
- url, method, currentUser) ? EVAL_BODY_INCLUDE : SKIP_BODY;
- }
-
- public void setAccess(String access) {
- this.access = access;
- }
-
- public void setUrl(String url) {
- this.url = url;
- }
-
- public void setMethod(String method) {
- this.method = method;
- }
-
- public void setVar(String var) {
- this.var = var;
- }
-
- SecurityExpressionHandler getExpressionHandler() throws JspException {
- ServletContext servletContext = pageContext.getServletContext();
- ApplicationContext ctx = WebApplicationContextUtils.getRequiredWebApplicationContext(servletContext);
- Map expressionHdlrs = ctx.getBeansOfType(SecurityExpressionHandler.class);
-
-
- for (SecurityExpressionHandler h : expressionHdlrs.values()) {
- if (FilterInvocation.class.equals(GenericTypeResolver.resolveTypeArgument(h.getClass(), SecurityExpressionHandler.class))) {
- return h;
- }
- }
-
- throw new JspException("No visible SecurityExpressionHandler instance could be found in the " +
- "application context. There must be at least one in order to support expressions in JSP 'authorize' tags.");
- }
-
- WebInvocationPrivilegeEvaluator getPrivilegeEvaluator() throws JspException {
- ServletContext servletContext = pageContext.getServletContext();
- ApplicationContext ctx = WebApplicationContextUtils.getRequiredWebApplicationContext(servletContext);
- Map wipes = ctx.getBeansOfType(WebInvocationPrivilegeEvaluator.class);
-
- if (wipes.size() == 0) {
- throw new JspException("No visible WebInvocationPrivilegeEvaluator instance could be found in the application " +
- "context. There must be at least one in order to support the use of URL access checks in 'authorize' tags.");
- }
-
- return (WebInvocationPrivilegeEvaluator) wipes.values().toArray()[0];
- }
-
- private static final FilterChain DUMMY_CHAIN = new FilterChain() {
- public void doFilter(ServletRequest request, ServletResponse response) throws IOException, ServletException {
- throw new UnsupportedOperationException();
- }
- };
-}
diff --git a/taglibs/src/main/java/org/springframework/security/taglibs/authz/JspAuthorizeTag.java b/taglibs/src/main/java/org/springframework/security/taglibs/authz/JspAuthorizeTag.java
new file mode 100644
index 0000000000..fe4870780e
--- /dev/null
+++ b/taglibs/src/main/java/org/springframework/security/taglibs/authz/JspAuthorizeTag.java
@@ -0,0 +1,101 @@
+package org.springframework.security.taglibs.authz;
+
+import java.io.IOException;
+
+import javax.servlet.ServletContext;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.jsp.JspException;
+import javax.servlet.jsp.PageContext;
+import javax.servlet.jsp.tagext.Tag;
+
+import org.springframework.web.util.ExpressionEvaluationUtils;
+
+/**
+ * A JSP {@link Tag} implementation of {@link AbstractAuthorizeTag}.
+ *
+ * @since 3.1.0
+ *
+ * @author Rossen Stoyanchev
+ *
+ * @see AbstractAuthorizeTag
+ */
+public class JspAuthorizeTag extends AbstractAuthorizeTag implements Tag {
+
+ private Tag parent;
+
+ protected String id;
+
+ protected PageContext pageContext;
+
+ /**
+ * Invokes the base class {@link AbstractAuthorizeTag#authorize()} method to
+ * decide if the body of the tag should be skipped or not.
+ *
+ * @return {@link Tag#SKIP_BODY} or {@link Tag#EVAL_BODY_INCLUDE}
+ */
+ public int doStartTag() throws JspException {
+ try {
+ setIfNotGranted(ExpressionEvaluationUtils.evaluateString("ifNotGranted", getIfNotGranted(), pageContext));
+ setIfAllGranted(ExpressionEvaluationUtils.evaluateString("ifAllGranted", getIfAllGranted(), pageContext));
+ setIfAnyGranted(ExpressionEvaluationUtils.evaluateString("ifAnyGranted", getIfAnyGranted(), pageContext));
+
+ return super.authorize() ? Tag.EVAL_BODY_INCLUDE : Tag.SKIP_BODY;
+
+ } catch (IOException e) {
+ throw new JspException(e);
+ }
+ }
+
+ /**
+ * Default processing of the end tag returning EVAL_PAGE.
+ *
+ * @return EVAL_PAGE
+ *
+ * @see Tag#doEndTag()
+ */
+ public int doEndTag() {
+ return EVAL_PAGE;
+ }
+
+ public String getId() {
+ return id;
+ }
+
+ public void setId(String id) {
+ this.id = id;
+ }
+
+ public Tag getParent() {
+ return parent;
+ }
+
+ public void setParent(Tag parent) {
+ this.parent = parent;
+ }
+
+ public void release() {
+ parent = null;
+ id = null;
+ }
+
+ public void setPageContext(PageContext pageContext) {
+ this.pageContext = pageContext;
+ }
+
+ @Override
+ protected ServletRequest getRequest() {
+ return pageContext.getRequest();
+ }
+
+ @Override
+ protected ServletResponse getResponse() {
+ return pageContext.getResponse();
+ }
+
+ @Override
+ protected ServletContext getServletContext() {
+ return pageContext.getServletContext();
+ }
+
+}
diff --git a/taglibs/src/main/java/org/springframework/security/taglibs/authz/LegacyAuthorizeTag.java b/taglibs/src/main/java/org/springframework/security/taglibs/authz/LegacyAuthorizeTag.java
deleted file mode 100644
index 4f120c9bc0..0000000000
--- a/taglibs/src/main/java/org/springframework/security/taglibs/authz/LegacyAuthorizeTag.java
+++ /dev/null
@@ -1,192 +0,0 @@
-/* Copyright 2004, 2005, 2006 Acegi Technology Pty Limited
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.springframework.security.taglibs.authz;
-
-import java.util.Collection;
-import java.util.Collections;
-import java.util.HashSet;
-import java.util.Set;
-
-import javax.servlet.jsp.JspException;
-import javax.servlet.jsp.tagext.Tag;
-import javax.servlet.jsp.tagext.TagSupport;
-
-import org.springframework.security.core.Authentication;
-import org.springframework.security.core.GrantedAuthority;
-import org.springframework.security.core.authority.AuthorityUtils;
-import org.springframework.security.core.authority.GrantedAuthorityImpl;
-import org.springframework.security.core.context.SecurityContextHolder;
-import org.springframework.web.util.ExpressionEvaluationUtils;
-
-
-/**
- * An implementation of {@link javax.servlet.jsp.tagext.Tag} that allows it's body through if some authorizations
- * are granted to the request's principal.
- *
- * @author Francois Beausoleil
- */
-public class LegacyAuthorizeTag extends TagSupport {
- //~ Instance fields ================================================================================================
-
- private String ifAllGranted = "";
- private String ifAnyGranted = "";
- private String ifNotGranted = "";
-
- //~ Methods ========================================================================================================
-
- private Set authoritiesToRoles(Collection c) {
- Set target = new HashSet();
-
- for (GrantedAuthority authority : c) {
- if (null == authority.getAuthority()) {
- throw new IllegalArgumentException(
- "Cannot process GrantedAuthority objects which return null from getAuthority() - attempting to process "
- + authority.toString());
- }
-
- target.add(authority.getAuthority());
- }
-
- return target;
- }
-
- public int doStartTag() throws JspException {
- if (((null == ifAllGranted) || "".equals(ifAllGranted)) && ((null == ifAnyGranted) || "".equals(ifAnyGranted))
- && ((null == ifNotGranted) || "".equals(ifNotGranted))) {
- return Tag.SKIP_BODY;
- }
-
- final Collection granted = getPrincipalAuthorities();
-
- final String evaledIfNotGranted = ExpressionEvaluationUtils.evaluateString("ifNotGranted", ifNotGranted,
- pageContext);
-
- if ((null != evaledIfNotGranted) && !"".equals(evaledIfNotGranted)) {
- Set grantedCopy = retainAll(granted, parseAuthoritiesString(evaledIfNotGranted));
-
- if (!grantedCopy.isEmpty()) {
- return Tag.SKIP_BODY;
- }
- }
-
- final String evaledIfAllGranted = ExpressionEvaluationUtils.evaluateString("ifAllGranted", ifAllGranted,
- pageContext);
-
- if ((null != evaledIfAllGranted) && !"".equals(evaledIfAllGranted)) {
- if (!granted.containsAll(parseAuthoritiesString(evaledIfAllGranted))) {
- return Tag.SKIP_BODY;
- }
- }
-
- final String evaledIfAnyGranted = ExpressionEvaluationUtils.evaluateString("ifAnyGranted", ifAnyGranted,
- pageContext);
-
- if ((null != evaledIfAnyGranted) && !"".equals(evaledIfAnyGranted)) {
- Set grantedCopy = retainAll(granted, parseAuthoritiesString(evaledIfAnyGranted));
-
- if (grantedCopy.isEmpty()) {
- return Tag.SKIP_BODY;
- }
- }
-
- return Tag.EVAL_BODY_INCLUDE;
- }
-
- public String getIfAllGranted() {
- return ifAllGranted;
- }
-
- public String getIfAnyGranted() {
- return ifAnyGranted;
- }
-
- public String getIfNotGranted() {
- return ifNotGranted;
- }
-
- private Collection getPrincipalAuthorities() {
- Authentication currentUser = SecurityContextHolder.getContext().getAuthentication();
-
- if (null == currentUser) {
- return Collections.emptyList();
- }
-
- return currentUser.getAuthorities();
- }
-
- private Set parseAuthoritiesString(String authorizationsString) {
- final Set requiredAuthorities = new HashSet();
- requiredAuthorities.addAll(AuthorityUtils.commaSeparatedStringToAuthorityList(authorizationsString));
-
- return requiredAuthorities;
- }
-
- /**
- * Find the common authorities between the current authentication's {@link GrantedAuthority} and the ones
- * that have been specified in the tag's ifAny, ifNot or ifAllGranted attributes.We need to manually
- * iterate over both collections, because the granted authorities might not implement {@link
- * Object#equals(Object)} and {@link Object#hashCode()} in the same way as {@link GrantedAuthorityImpl}, thereby
- * invalidating {@link Collection#retainAll(java.util.Collection)} results.
- *
- * CAVEAT: This method will not work if the granted authorities
- * returns a null
string as the return value of {@link GrantedAuthority#getAuthority()}.
- *
- *
- * @param granted The authorities granted by the authentication. May be any implementation of {@link
- * GrantedAuthority} that does not return null
from {@link
- * GrantedAuthority#getAuthority()}.
- * @param required A {@link Set} of {@link GrantedAuthorityImpl}s that have been built using ifAny, ifAll or
- * ifNotGranted.
- *
- * @return A set containing only the common authorities between granted and required.
- *
- */
- private Set retainAll(final Collection granted, final Set required) {
- Set grantedRoles = authoritiesToRoles(granted);
- Set requiredRoles = authoritiesToRoles(required);
- grantedRoles.retainAll(requiredRoles);
-
- return rolesToAuthorities(grantedRoles, granted);
- }
-
- private Set rolesToAuthorities(Set grantedRoles, Collection granted) {
- Set target = new HashSet();
-
- for (String role : grantedRoles) {
- for (GrantedAuthority authority : granted) {
- if (authority.getAuthority().equals(role)) {
- target.add(authority);
-
- break;
- }
- }
- }
-
- return target;
- }
-
- public void setIfAllGranted(String ifAllGranted) throws JspException {
- this.ifAllGranted = ifAllGranted;
- }
-
- public void setIfAnyGranted(String ifAnyGranted) throws JspException {
- this.ifAnyGranted = ifAnyGranted;
- }
-
- public void setIfNotGranted(String ifNotGranted) throws JspException {
- this.ifNotGranted = ifNotGranted;
- }
-}
diff --git a/taglibs/src/main/java/org/springframework/security/taglibs/velocity/AuthzImpl.java b/taglibs/src/main/java/org/springframework/security/taglibs/velocity/AuthzImpl.java
index c809f52882..56fa3b1847 100644
--- a/taglibs/src/main/java/org/springframework/security/taglibs/velocity/AuthzImpl.java
+++ b/taglibs/src/main/java/org/springframework/security/taglibs/velocity/AuthzImpl.java
@@ -20,7 +20,7 @@ import javax.servlet.jsp.tagext.Tag;
import org.springframework.context.ApplicationContext;
import org.springframework.security.taglibs.authz.AuthenticationTag;
-import org.springframework.security.taglibs.authz.LegacyAuthorizeTag;
+import org.springframework.security.taglibs.authz.JspAuthorizeTag;
/**
@@ -72,10 +72,10 @@ public class AuthzImpl implements Authz {
}
/**
- * implementation of LegacyAuthorizeTag
+ * implementation of JspAuthorizeTag
*/
private boolean ifGranted(String roles, int grantType) {
- LegacyAuthorizeTag authorizeTag = new LegacyAuthorizeTag();
+ JspAuthorizeTag authorizeTag = new JspAuthorizeTag();
int result;
diff --git a/taglibs/src/main/resources/META-INF/security.tld b/taglibs/src/main/resources/META-INF/security.tld
index b14383f498..87b0368cb7 100644
--- a/taglibs/src/main/resources/META-INF/security.tld
+++ b/taglibs/src/main/resources/META-INF/security.tld
@@ -13,7 +13,7 @@
authorize
- org.springframework.security.taglibs.authz.AuthorizeTag
+ org.springframework.security.taglibs.authz.JspAuthorizeTag
A tag which outputs the body of the tag if the configured access expression
evaluates to true for the currently authenticated principal.
diff --git a/taglibs/src/test/java/org/springframework/security/taglibs/authz/AuthorizeTagAttributeTests.java b/taglibs/src/test/java/org/springframework/security/taglibs/authz/AuthorizeTagAttributeTests.java
index 22c02f8b3b..03f854a709 100644
--- a/taglibs/src/test/java/org/springframework/security/taglibs/authz/AuthorizeTagAttributeTests.java
+++ b/taglibs/src/test/java/org/springframework/security/taglibs/authz/AuthorizeTagAttributeTests.java
@@ -36,7 +36,7 @@ import javax.servlet.jsp.tagext.Tag;
public class AuthorizeTagAttributeTests extends TestCase {
//~ Instance fields ================================================================================================
- private final LegacyAuthorizeTag authorizeTag = new LegacyAuthorizeTag();
+ private final JspAuthorizeTag authorizeTag = new JspAuthorizeTag();
private TestingAuthenticationToken currentUser;
//~ Methods ========================================================================================================
diff --git a/taglibs/src/test/java/org/springframework/security/taglibs/authz/AuthorizeTagCustomGrantedAuthorityTests.java b/taglibs/src/test/java/org/springframework/security/taglibs/authz/AuthorizeTagCustomGrantedAuthorityTests.java
index 13c2950ebb..233daf8a31 100644
--- a/taglibs/src/test/java/org/springframework/security/taglibs/authz/AuthorizeTagCustomGrantedAuthorityTests.java
+++ b/taglibs/src/test/java/org/springframework/security/taglibs/authz/AuthorizeTagCustomGrantedAuthorityTests.java
@@ -34,7 +34,7 @@ import javax.servlet.jsp.tagext.Tag;
public class AuthorizeTagCustomGrantedAuthorityTests extends TestCase {
//~ Instance fields ================================================================================================
- private final LegacyAuthorizeTag authorizeTag = new LegacyAuthorizeTag();
+ private final JspAuthorizeTag authorizeTag = new JspAuthorizeTag();
private TestingAuthenticationToken currentUser;
//~ Methods ========================================================================================================
diff --git a/taglibs/src/test/java/org/springframework/security/taglibs/authz/AuthorizeTagExpressionLanguageTests.java b/taglibs/src/test/java/org/springframework/security/taglibs/authz/AuthorizeTagExpressionLanguageTests.java
index 3cc352b969..df34d51b9a 100644
--- a/taglibs/src/test/java/org/springframework/security/taglibs/authz/AuthorizeTagExpressionLanguageTests.java
+++ b/taglibs/src/test/java/org/springframework/security/taglibs/authz/AuthorizeTagExpressionLanguageTests.java
@@ -33,7 +33,7 @@ import org.springframework.security.core.context.SecurityContextHolder;
public class AuthorizeTagExpressionLanguageTests extends TestCase {
//~ Instance fields ================================================================================================
- private final LegacyAuthorizeTag authorizeTag = new LegacyAuthorizeTag();
+ private final JspAuthorizeTag authorizeTag = new JspAuthorizeTag();
private MockPageContext pageContext;
private TestingAuthenticationToken currentUser;
diff --git a/taglibs/src/test/java/org/springframework/security/taglibs/authz/AuthorizeTagTests.java b/taglibs/src/test/java/org/springframework/security/taglibs/authz/AuthorizeTagTests.java
index 226c023fb5..77455dc9dc 100644
--- a/taglibs/src/test/java/org/springframework/security/taglibs/authz/AuthorizeTagTests.java
+++ b/taglibs/src/test/java/org/springframework/security/taglibs/authz/AuthorizeTagTests.java
@@ -43,7 +43,7 @@ import org.springframework.web.context.support.StaticWebApplicationContext;
public class AuthorizeTagTests {
//~ Instance fields ================================================================================================
- private AuthorizeTag authorizeTag;
+ private JspAuthorizeTag authorizeTag;
private final TestingAuthenticationToken currentUser = new TestingAuthenticationToken("abc", "123", "ROLE SUPERVISOR", "ROLE_TELLER");
//~ Methods ========================================================================================================
@@ -56,7 +56,7 @@ public class AuthorizeTagTests {
ctx.registerSingleton("wipe", MockWebInvocationPrivilegeEvaluator.class);
MockServletContext servletCtx = new MockServletContext();
servletCtx.setAttribute(WebApplicationContext.ROOT_WEB_APPLICATION_CONTEXT_ATTRIBUTE, ctx);
- authorizeTag = new AuthorizeTag();
+ authorizeTag = new JspAuthorizeTag();
authorizeTag.setPageContext(new MockPageContext(servletCtx, new MockHttpServletRequest(), new MockHttpServletResponse()));
}
@@ -125,9 +125,18 @@ public class AuthorizeTagTests {
@Test
public void testDefaultsToNotOutputtingBodyWhenNoRequiredAuthorities() throws JspException {
- assertEquals("", authorizeTag.getIfAllGranted());
- assertEquals("", authorizeTag.getIfAnyGranted());
- assertEquals("", authorizeTag.getIfNotGranted());
+ assertEquals(null, authorizeTag.getIfAllGranted());
+ assertEquals(null, authorizeTag.getIfAnyGranted());
+ assertEquals(null, authorizeTag.getIfNotGranted());
+
+ assertEquals(Tag.SKIP_BODY, authorizeTag.doStartTag());
+ }
+
+ @Test
+ public void testDefaultsToNotOutputtingBodyWhenNoAuthoritiesProvided() throws JspException {
+ authorizeTag.setIfAllGranted("");
+ authorizeTag.setIfAnyGranted("");
+ authorizeTag.setIfNotGranted("");
assertEquals(Tag.SKIP_BODY, authorizeTag.doStartTag());
}
diff --git a/web/src/test/java/org/springframework/security/web/jaasapi/JaasApiIntegrationFilterTest.java b/web/src/test/java/org/springframework/security/web/jaasapi/JaasApiIntegrationFilterTest.java
index 22178b4182..cf60ee94b8 100644
--- a/web/src/test/java/org/springframework/security/web/jaasapi/JaasApiIntegrationFilterTest.java
+++ b/web/src/test/java/org/springframework/security/web/jaasapi/JaasApiIntegrationFilterTest.java
@@ -83,7 +83,6 @@ public class JaasApiIntegrationFilterTest {
authenticatedSubject.getPrivateCredentials().add("password");
authenticatedSubject.getPublicCredentials().add("username");
callbackHandler = new CallbackHandler() {
- @Override
public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
for (Callback callback : callbacks) {
if (callback instanceof NameCallback) {