Clarify need for method attribute in JSP authorize tag

Closes gh-16530 This aligns the JSP documentation with the changes made in gh-16529. Added a NOTE to clarify that the method attribute is required when the underlying RequestMatcher is method-specific. Signed-off-by: onhann <gusgus1467@naver.com>
2026-03-01 16:44:53 +00:00 · 2026-01-23 22:00:57 +09:00 · 2026-01-23 22:00:57 +09:00 · 9f9699f8a5
commit 9f9699f8a5
parent d29c984881
1 changed files with 12 additions and 0 deletions
--- a/docs/modules/ROOT/pages/servlet/integrations/jsp-taglibs.adoc
+++ b/docs/modules/ROOT/pages/servlet/integrations/jsp-taglibs.adoc
@ -65,6 +65,18 @@ This is an instance of `DefaultWebInvocationPrivilegeEvaluator`, which creates a
 This lets you delegate to the access-control setup you defined by using `intercept-url` declarations within the `<http>` namespace configuration and saves having to duplicate the information (such as the required roles) within your JSPs.
 You can also combine this approach with a `method` attribute (supplying the HTTP method, such as `POST`) for a more specific match.

+[NOTE]
+====
+If the underlying authorization configuration uses a `RequestMatcher` that is constrained to an HTTP method
+(for example, an `AntPathRequestMatcher` or `MvcRequestMatcher` configured with a method),
+specify the same `method` on the `<sec:authorize>` tag so that it can be evaluated against the intended rule.
+
+When access rules are method-specific, omitting `method` may cause the tag to be evaluated without an HTTP method,
+which can lead to unexpected results.
+
+For example, if access is configured for `POST /admin`, then use `<sec:authorize url="/admin" method="POST">`.
+====
+
 You can store the Boolean result of evaluating the tag (whether it grants or denies access) in a page context scope variable by setting the `var` attribute to the variable name, avoiding the need for duplicating and re-evaluating the condition at other points in the page.