Automatically disabling links in JSF based on security settings
Posted by swd847 in Stuart Douglas's Blog on Jun 6, 2010 1:57:29 AMWith an app that I worked on recently it was decided that links the user did not have permission to view would show up as disabled. There was quite a lot of links in the application, and I am pretty lazy, so I decided to have a look and see if there was a better way of doing this than having to edit the disabled property of all the links. As it turns out there is using a facelets TagDecorator (this is now part of JSF 2).
A TagDecorator allows you to modify a tag on your page before the page is compiled, I decided to use it to automatically add an el based 'disabled' property to all my s:link and s:button controls:
public class SecurityTagDecorator implements TagDecorator { public Tag decorate(Tag tag) { if (!tag.getNamespace().equals("http://jboss.com/products/seam/taglib")) { return null; } //we are only interested in s:link and s:button if (tag.getLocalName().equals("link") || tag.getLocalName().equals("button")) { TagAttribute view = tag.getAttributes().get("view"); if (view == null) { return null; } String viewId = view.getValue(); //don't try and fix el based permission if (viewId.contains("#{")) { return null; } //el expression that tests if a page is viewable String disabled = "#{not pageSecurityManager.isViewable('" + viewId + "')}"; //we also add the permissionDenied styleClass to the link String styleClass = "#{pageSecurityManager.isViewable('" + viewId + "') ? '' : ' permissionDenied'}"; TagAttribute[] at = tag.getAttributes().getAll(); boolean styleFound = false; boolean disFound = false; //loop through all the attributes on the tag. We need to make sure there is //not an existing diabled or styleClass tag. //if there is we replace it for (int j = 0; j < at.length; ++j) { TagAttribute i = at[j]; if (i.getLocalName().equals("styleClass")) { styleFound = true; String val = i.getValue(); //add our style el expression to the existing attribute TagAttribute ti = new TagAttribute(i.getLocation(), i .getNamespace(), i.getLocalName(), i.getQName(), val + styleClass); at[j] = ti; } if (i.getLocalName().equals("disabled")) { disFound = true; //replace the disabled attribute TagAttribute ti = new TagAttribute(i.getLocation(), i .getNamespace(), i.getLocalName(), i.getQName(), disabled); at[j] = ti; } } //if the attributes were not found we add new ones if (!styleFound) { TagAttribute ti = new TagAttribute(tag.getLocation(), "", "styleClass", "styleClass", styleClass); TagAttribute[] old = at; at = new TagAttribute[old.length + 1]; for (int k = 0; k < old.length; ++k) { at[k] = old[k]; } at[old.length] = ti; } if (!disFound) { TagAttribute ti = new TagAttribute(tag.getLocation(), "", "disabled", "disabled", disabled); TagAttribute[] old = at; at = new TagAttribute[old.length + 1]; for (int k = 0; k < old.length; ++k) { at[k] = old[k]; } at[old.length] = ti; } //return our modified tag TagAttributes ats = new TagAttributes(at); return new Tag(tag, ats); } return null; } }
We then need to register our TagDecorator in web.xml:
<context-param> <param-name>facelets.DECORATORS</param-name> <param-value> com.mydomain.SecurityTagDecorator; </param-value> </context-param>
And vola, all the s:links in the application are automatically disabled if the user does not have permission to use them.
Comments