Last updated by 5 years ago

Page: AuthTagLib, Version:0

Auth tagLib

This page contains details of how to use the tags defined in AuthTagLib (a taglib to help with ACEGI-based security implementations within Grails).

Introduction

If you are using J2EE security within your Grails app (for example, ACEGI) then you can use the tags described here within your GSPs. If you want to start using ACEGI security within Grails see the Acegi On Grails Tutorial.

In summary the tags are:-

  • ifLoggedIn : Only execute the tag body if the user is logged in
  • ifNotLoggedIn : Only execute the tag body if the user is not logged in
  • loggedInUser : Output the user's username (if they are logged in!)
  • ifUserHasRole : Only execute the tag body if the user is logged in and has at least one of the roles specified
  • ifUserHasNoRole : Only execute the tag body if the user has none of the roles specified (or is not logged in)
  • ifUserCanEdit : Only execute the tag body if the user is logged in and has either at least one of the roles specified or the same username as the supplied value
All of the tags make use of standard J2EE servlet API methods in the HttpServletRequest, which Grails exposes (via the 'request' object) to determine the state of a logged in user. Specifically:-
  • request.remoteUser : exposes the current logged in user name
  • request.isUserInRole("XYZ") : returns true if the user has the role "XYZ"
This has only been tested with ACEGI (but I would hope it works with any compliant servlet implementation). It has not been tested with HTTPS.

Tags

ifLoggedIn Tag

Description

Conditional logic tag to only execute the tag body if the user is logged in.

Example

<g:ifLoggedIn>
	<g:link controller="logout"><g:message code="common.logout"/></g:link>
</g:ifLoggedIn>
will only show the 'logout' link if the user is logged in.

ifNotLoggedIn Tag

Description

Conditional logic tag to only execute the tag body if the user is not logged in.

Example

<g:ifNotLoggedIn>
	<g:link controller="login"><g:message code="common.login"/></g:link>
</g:ifNotLoggedIn>
will only show the 'login' link if the user is not already logged in.

loggedInUser Tag

Description

Simply renders the logged in user's username (only if they are logged in, of course !)

Example

Welcome <g:loggedInUser/>

ifUserHasRole Tag

Description

Conditional logic tag to only execute the tag body if the user is logged in and has at least one of the specified roles.

Tag attributes (mandatory):-

  • roles : the comma delimited list of roles - one of which is required to execute the tag body

Example

Only render the link to 'Create a new article' if the user has logged in and has either of the roles 'ROLE_ADMIN' or 'ROLE_EDITOR'

<g:ifUserHasRole roles="ROLE_ADMIN,ROLE_EDITOR">
	<g:link controller="article" action="create">Create a new article</g:link>
</g:ifUserHasRole>

ifUserHasNoRole Tag

Description

Conditional logic tag to only execute the tag body if the user has none of the roles specified (or is not logged in)

Tag attributes (mandatory):-

  • roles : the comma delimited list of roles - if the user has any of these roles the tag body will not be executed.

Example

Only render the help text if the user is not logged in or has none of the roles 'ROLE_ADMIN' or 'ROLE_EDITOR'

<g:ifUserHasNoRole roles="ROLE_ADMIN,ROLE_EDITOR">
	<p>To request that this article is deleted contact the editor!</p>
</g:ifUserHasNoRole>

ifUserCanEdit Tag

Description

Conditional logic tag to only execute the tag body if the user has one of the roles specified or is logged in with the same username as the one supplied. This allows for more fine-grained security when conditionally showing actions that depend on which user is logged in and which record is being edited. For example, it supports the idea of an 'owner' of a domain object being allowed to edit/delete that domain object.

Tag attributes (all mandatory):-

  • roles : the comma delimited list of roles - if the user is logged in and has any of these roles the tag body will be executed.
  • userName : the token to use as a compare with the logged in user. If the user is logged in with the same as this token the
tag body will be executed.

Example

Only render the help text if the user is logged in and has at the role 'ROLE_ADMIN' or if the user is logged in and was the creator of the current user being shown (e.g. through self-registration). This example assumes that the 'createdBy' attribute on the 'registeredUser' domain object records who created the user.

<g:ifUserCanEdit roles="ROLE_ADMIN" userName="${registeredUser?.createdBy}>
	<g:link action="edit" id="${registeredUser.id}"><g:message code="common.edit.title"/></g:link>
</g:ifUserCanEdit>

The Code!

/* Copyright 2004-2005 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT c;pWARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

/** * A taglib to help with J2EE security implementations (e.g. ACEGI) within Grails. * * @author Joe Mooney * @since 23-November-2006 */ class AuthTagLib {

// Execute main body only if the user is logged in def ifLoggedIn = {attrs, body -> if (getUserName()) { body{} } }

// Execute main body only if the user is NOT logged in def ifNotLoggedIn = {attrs, body -> if (!getUserName()) { body{} } }

// Execute main body only if the user is logged in and has one of the roles requested def ifUserHasRole = {attrs, body -> if (userHasOneOfRequiredRoles(attrs.roles.split(/,/))) { return body{} } }

// Execute main body only if the user is logged in and has none of the roles requested def ifUserHasNoRole = {attrs, body -> if (!userHasOneOfRequiredRoles(attrs.roles.split(/,/))) { return body{} } }

// Output the signed on user name (if they are logged in) def loggedInUser = { attrs, body -> def username = getUserName() if (username) { out << username } }

/* * Execute main body only if the user is logged in and is either an admin user (based on supplied roles) or * if they were the creator of the bean (based on the supplied userName) */ def ifUserCanEdit = {attrs, body -> def userIsGood = false def adminRoles = attrs["adminRoles"] if (adminRoles) { userIsGood = userHasOneOfRequiredRoles(adminRoles.split(/,/)) } if (!userIsGood) { def userName = attrs["userName"] def signedOnUserName = getUserName(); if (signedOnUserName && userName == signedOnUserName) { userIsGood = true } } if (userIsGood) { return body{} } }

// Helper method to get the user name def getUserName = { -> return request.remoteUser }

// Helper method to indicate if a user has at least one of the requested roles def userHasOneOfRequiredRoles = {requiredRoles -> def userHasOneRole = false if (getUserName()) { requiredRoles.each {roleRequired -> if (request.isUserInRole(roleRequired)) { userHasOneRole = true } } } return userHasOneRole } }