AppFuseAcegiACLSecuringJSPs

Step VIII: How to use the ACLs in your JSPs

In this step we add new JSP Tags to the corresponding pages in order to prevent that a user tries to execute an action he is not allowed to execute on an object.

Securing the personList.jsp

• Open the personForm.jsp
• Replace the the cell "buttonBar" with the following content:

<td class="buttonBar">
	 <authz:acl domainObject="${person}" hasPermission="4,8,1">
	  <input type="submit" class="button" name="save" 
	    onclick="bCancel=false" value="<fmt:message key="button.save"/>" />
	</authz:acl>
	<c:if test="${person.id != null}">
	  <authz:acl domainObject="${person}" hasPermission="16,1">
	    <input type="submit" class="button" name="delete"
	    onclick="bCancel=true;return confirmDelete('Person')" 
	    value="<fmt:message key="button.delete"/>" />
	  </authz:acl>
	</c:if>
  <input type="submit" class="button" name="cancel" onclick="bCancel=true" value="<fmt:message key="button.cancel"/>" />        
</td>

• Take a look at the new tags: The authz tag checks, if the current user has certain permissions on the object stored in the variable person (In this case the rights identified by 1,4 and 8). These ints are the same ints used with Constants in the applicationContext-service.xml, e.g. 1 = org.acegisecurity.acl.basic.SimpleAclEntry.ADMINISTRATION.
• Here a short list of different permissions and their int representation:

• All other combinations (like READ_WRITE) are done by OR combinations

Heres the relevant part of the SimpleAclEntry:

Next step