-
The <sec:authorize> tag conditionally renders its content based on role-based access control using SecurityContext. It provides three mutually exclusive ways to check user roles: single role check, any-of-roles check, or all-of-roles check.
Usage
To use the security taglib, declare the omnifaces.security namespace in your Facelets view:
<html xmlns:sec="omnifaces.security">The <sec:authorize> tag requires exactly one of the following attributes: role, anyRole, or allRoles.
Single role check
Use the role attribute to check if the user has a specific role. The content will only be rendered if the user has the specified role.
<sec:authorize role="ADMIN">
<h:link value="Admin Panel" outcome="/admin" />
</sec:authorize>Any-of-roles check
Use the anyRole attribute with comma-separated role names to check if the user has at least one of the specified roles. The content will be rendered if the user has any of the roles.
<sec:authorize anyRole="ADMIN, MODERATOR, EDITOR">
<h:link value="Content Management" outcome="/cms" />
</sec:authorize>All-of-roles check
Use the allRoles attribute with comma-separated role names to check if the user has all of the specified roles. The content will only be rendered if the user has all of the roles.
<sec:authorize allRoles="ADMIN, AUDITOR">
<h:link value="Audit Logs" outcome="/audit" />
</sec:authorize>Exposing authorization result
The optional var attribute exposes the boolean authorization result as a view-scoped variable. This is useful when you need to use the authorization result in multiple places without repeating the role check.
<sec:authorize role="ADMIN" var="isAdmin" />
<h:panelGroup rendered="#{isAdmin}">
<h:link value="Admin Panel" outcome="/admin" />
</h:panelGroup>
<h:outputText value="Welcome, Administrator!" rendered="#{isAdmin}" />The variable is always set regardless of whether the content inside the tag is rendered or not.
Configuration
This tag requires SecurityContext from jakarta.security.enterprise to be available. If the security context is not available, a warning will be logged and no content will be rendered. Make sure your application has Jakarta Security properly configured.