SecuredTag.java

package net.techreadiness.ui.tags.security;

import java.util.Set;

import javax.servlet.jsp.JspException;
import javax.servlet.jsp.tagext.Tag;

import net.techreadiness.security.PermissionCode;
import net.techreadiness.security.PermissionCodeSet;

import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;

/**
 * An implementation of {@link Tag} that allows its body through if permissions are granted to the request's principal.
 * <p>
 * One or more comma separate {@link PermissionCode}s are specified via the <tt>hasPermission</tt> attribute using a
 * {@link Set}.
 */
public class SecuredTag extends AbstractSecurityTag {

	private static final long serialVersionUID = 1L;

	protected static final Log logger = LogFactory.getLog(SecuredTag.class);

	private PermissionCodeSet permissionCodes;

	@Override
	public int doStartTag() throws JspException {
		if (null == permissionCodes || permissionCodes.size() < 1) {
			return skipBody();
		}

		initializeIfRequired();

		final Authentication auth = SecurityContextHolder.getContext().getAuthentication();

		if (auth == null) {
			if (logger.isDebugEnabled()) {
				logger.debug("SecurityContextHolder did not return a non-null Authentication object, so skipping tag body");
			}
			return skipBody();
		}

		if (userService.hasPermission(getServiceContext(), permissionCodes.toArray())) {
			return evalBody();
		}
		return skipBody();
	}

	public PermissionCodeSet getHasPermission() {
		return permissionCodes;
	}

	public void setHasPermission(PermissionCodeSet permissionCodes) {
		this.permissionCodes = permissionCodes;
	}
}