11.9. Using EL-Based Expresions
As an alternative to the built-in authorization annotations, PicketLink also supports EL-Based Expressions to define authorization constraints.
@Restrict("#{identity.loggedIn}") public void protectedFromUnauthenticatedUsers() { } @Restrict("#{isLoggedIn()}") public void protectedFromUnauthenticatedUsersFunction() { } @Restrict("#{hasPermission('user_profile','read')}") public void protectedWithResourcePermission() { } @Restrict("#{hasPermission('profile','write')}") public void protectedWithResourceWithoutPermission() { } @Restrict("#{hasRole('Tester')}") public void protectedWithRequiredRole() { } @Restrict("#{hasRole('Invalid Role')}") public void protectedWithRequiredInvalidRole() { } @Restrict("#{isMember('QA')}") public void protectedWithRequiredGroup() { } @Restrict("#{isMember('Invalid Group')}") public void protectedWithRequiredInvalidGroup() { } @Restrict("#{isMember('QA') and hasRole('Tester')}") public void protectedWithRequiredMemberAndRole() { } @Restrict("#{isMember('QA') and hasRole('Invalid Role')}") public void protectedWithRequiredMemberAndInvalidRole() { } @Restrict("#{hasPartition('default')}") public void protectedWithRequiredPartitionName() { } @Restrict("#{hasPartition('invalid partition')}") public void protectedWithInvalidPartitionName() { } @Restrict("#{hasAttribute('someAttribute')}") public void protectedWithAttribute() { } @Restrict("#{hasAttribute('invalidAttribute')}") public void protectedWithInvalidAttribute() { } @Restrict("#{identity.account != null}") public void protectedWithValidAccountExpression() { } @Restrict("#{identity.account.partition.name == 'default'}") public void protectedWithValidPartitionExpression() { } @Restrict("#{identity.account.partition.name != 'default'}") public void protectedWithInvalidPartitionExpression() { } @Restrict("#{identity.account.attributes['someAttribute'] != null}") public void protectedWithValidAccountAttributeExpression() { } @Restrict("#{identity.account.attributes['someAttribute'] == 'someValue'}") public void protectedWithValidAccountAttributeValueExpression() { } @Restrict("#{identity.account.attributes['someAttribute'] == 'invalidValue'}") public void protectedWithInvalidAccountAttributeValueExpression() { }
EL expressions leverage the authorization capabilities by providing access to some additional functions and information like:
-
#{identity}
- The currentIdentity
bean instance representing the authenticated user. From there you can invoke all public methods defined by this interface.#{hasAttributes('someAttribute')}
- A handy function that checks if the authenticated user is set with a specific ad-hoc attribute.