Product SiteDocumentation Site

11.9. Using EL-Based Expresions

As an alternative to the built-in authorization annotations, PicketLink also supports EL-Based Expressions to define authorization constraints.
@Restrict("#{identity.loggedIn}")
public void protectedFromUnauthenticatedUsers() {

}

@Restrict("#{isLoggedIn()}")
public void protectedFromUnauthenticatedUsersFunction() {

}

@Restrict("#{hasPermission('user_profile','read')}")
public void protectedWithResourcePermission() {

}

@Restrict("#{hasPermission('profile','write')}")
public void protectedWithResourceWithoutPermission() {

}

@Restrict("#{hasRole('Tester')}")
public void protectedWithRequiredRole() {

}

@Restrict("#{hasRole('Invalid Role')}")
public void protectedWithRequiredInvalidRole() {

}

@Restrict("#{isMember('QA')}")
public void protectedWithRequiredGroup() {

}

@Restrict("#{isMember('Invalid Group')}")
public void protectedWithRequiredInvalidGroup() {

}

@Restrict("#{isMember('QA') and hasRole('Tester')}")
public void protectedWithRequiredMemberAndRole() {

}

@Restrict("#{isMember('QA') and hasRole('Invalid Role')}")
public void protectedWithRequiredMemberAndInvalidRole() {

}

@Restrict("#{hasPartition('default')}")
public void protectedWithRequiredPartitionName() {

}

@Restrict("#{hasPartition('invalid partition')}")
public void protectedWithInvalidPartitionName() {

}

@Restrict("#{hasAttribute('someAttribute')}")
public void protectedWithAttribute() {

}

@Restrict("#{hasAttribute('invalidAttribute')}")
public void protectedWithInvalidAttribute() {

}

@Restrict("#{identity.account != null}")
public void protectedWithValidAccountExpression() {

}

@Restrict("#{identity.account.partition.name == 'default'}")
public void protectedWithValidPartitionExpression() {

}

@Restrict("#{identity.account.partition.name != 'default'}")
public void protectedWithInvalidPartitionExpression() {

}

@Restrict("#{identity.account.attributes['someAttribute'] != null}")
public void protectedWithValidAccountAttributeExpression() {

}

@Restrict("#{identity.account.attributes['someAttribute'] == 'someValue'}")
public void protectedWithValidAccountAttributeValueExpression() {

}

@Restrict("#{identity.account.attributes['someAttribute'] == 'invalidValue'}")
public void protectedWithInvalidAccountAttributeValueExpression() {

}
EL expressions leverage the authorization capabilities by providing access to some additional functions and information like:
  • #{identity} - The current Identity bean instance representing the authenticated user. From there you can invoke all public methods defined by this interface.
    #{hasAttributes('someAttribute')} - A handy function that checks if the authenticated user is set with a specific ad-hoc attribute.