JSTL标签中的Spring安全开关案例

Question

Is there a way to convert a jsp code of the form

<security:authorize access="hasRole('ROLE_USER')">You're an user</security:authorize>
<security:authorize access="hasRole('ROLE_ADMIN')">You're an admin</security:authorize>
<security:authorize access="hasRole('ROLE_SADMIN')">You're a superadmin</security:authorize>

to another form, similar to the following (doesn't work)?

<c:choose>
  <c:when test="hasRole('ROLE_USER')">
    You're an user
  </c:when>
  <c:when test="hasRole('ROLE_ADMIN')">
    You're an admin
  </c:when>
  <c:when test="hasRole('ROLE_SADMIN')">
    You're a superadmin
  </c:when>
  <c:otherwise>
    You have no relevant role
  </c:otherwise>
</c:choose>

More precisely, is there a way to substitute this Spring Security taglib functionality with JSTL tags?

Answer 1

You can use the var attribute of the <security:authorize/> tag which will create:

A page scoped variable into which the boolean result of the tag evaluation will be written, allowing the same condition to be reused subsequently in the page without re-evaluation.

<security:authorize access="hasRole('ROLE_USER')" var="isUser" />
<security:authorize access="hasRole('ROLE_ADMIN')" var="isAdmin" />
<security:authorize access="hasRole('ROLE_SADMIN')" var="isSuperUser" />

<c:choose>
  <c:when test="${isSuperUser}">
    You're a superadmin
  </c:when>
  <c:when test="${isAdmin}">
    You're an admin
  </c:when>
  <c:when test="${isUser}">
    You're an user
  </c:when>
  <c:otherwise>
    You have no relevant role
  </c:otherwise>
</c:choose>

Answer 2

Workarround: When you have only this simple hasRole(XXX) expressions, then you could have a variable that contains the role of the current user. This variable could be populated by the controller, or when you needed it in almost all jsps, by an Spring HandlerInterceptor or Servlet Filter (that is registered after the Spring Security Filter).