The JavaServer Pages Standard Tag Library (JSTL) consists of custom JavaServer Pages (JSP) elements that encapsulate recurring tasks. Custom tags are reusable JSP components that contain the objects to implement the tasks. They are distributed in a tag library. Oracle Entitlements Server contains custom tags that will call the authorization API. Developers can use these tags in JSP to build a security-based web application. The sections in this chapter contain information on the custom Oracle Entitlements Server JSP tags.
When using the JSTL, you must define the directives in your JSP as follows:
<%@ taglib uri="http://www.oracle.com/oes/utils/tags/" prefix="oes" %> <%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>
Additionally, add the oestags.jar to the classpath. oestags.jar is located in the OES_CLIENT_HOME/oessm/oestags/ directory in a Security Module installation or in the OES_ADMIN_HOME/oes/oestags/ directory in an Oracle Entitlements Server Administration Server installation.
These functional JSP tags capture the authorization features on Oracle Entitlements Server. The following sections contain information on these functional tags.
isAccessAllowed checks if the user is authorized to access a specific resource. If access is allowed, display the body of the tag; if not, skip the body. This is a cooperative and a conditional tag. It will return true or false, and a variable to the body of the JSP which can be used to process obligations.
Note:
If you want to show JSP content by tag body, the then/else tag must be used. JSP content cannot be written in the tag body directly without then/else.
Table 8-1 documents the isAccessAllowed tag definition.
Table 8-1 isAcessAllowed Tag Definition
| Name | Details |
|---|---|
|
resource |
Description: The resource used when calling Mandatory Return Type: not applicable |
|
resourceType |
Description: The type of resource used when calling Optional Return Type: not applicable |
|
action |
Description: The action used when calling Optional Return Type: not applicable |
|
resultVar |
Description: The name of the scripting variable used to tell if access is allowed. Optional Return Type: boolean |
|
resultVarScope |
Description: The scope of the Optional Return Type: not applicable |
|
obligationVar |
Description: The name of the variable used for returning obligations from the Optional Return Type: A map of obligations; the key is the obligation name and the value is a map of attributes with attribute names and values. |
|
obligationVarScope |
Description: The scope of the variable containing obligations from Optional Return Type: not applicable |
Example 8-1 illustrates how isAccessAllowed may be used.
Example 8-1 isAccessAllowed Tag Example
<%-- Set global attributes --%>
<oes:setSecurityContext appId="TagLibraryApp" resourceType="image"
resourcePrefix="images/">
<oes:attribute name="test_attr" value="good_job"/>
</oes:setSecurityContext>
<%!
String resourceStr="private.jpg";
String actionStr="read";
String returnVar = "isAllowed";
%>
<%-- Test for isAccessAllowed tag --%>
<oes:isAccessAllowed resource="<%=resourceStr %>" action="<%=actionStr %>"
resultVar="<%=returnVar %>" obligationVar="obligations">
<oes:attribute name="test_attr_local" value="hard_work" />
<oes:then>
You have the permission to <%=actionStr %> the image <%=resourceStr %>.
<br/>
<img src="images/private.jpg" width="250" height="150" /> <br/>
The obligations are: <br/>
<c:forEach items="${obligations}" var="entry">
<c:out value="${entry.key}" /> = <c:out
value="${entry.value}" /> <br/>
</c:forEach>
</oes:then>
<oes:else>
You have not the permission to <%=actionStr %> the image
<%=resourceStr %>. <br/>
</oes:else>
</oes:isAccessAllowed>
<%-- another way to use tag isAccessAllowed --%>
<oes:isAccessAllowed resource="<%=resourceStr %>" action="<%=actionStr %>"
resultVar="<%=returnVar %>" obligationVar="obligations">
<oes:attribute name="test_attr_local" value="hard_work" />
</oes:isAccessAllowed>
<c:choose>
<c:when test="${isAllowed}">You have the permission to <%=actionStr %>
the image <%=resourceStr %>. <br/>
<img src="images/private.jpg" width="250" height="150" />
The obligations are: <br/>
<c:forEach items="${obligations}" var="entry">
<c:out value="${entry.key}" /> =
<c:out value="${entry.value}" /> <br/>
</c:forEach>
</c:when>
<c:otherwise>
You have not the permission to <%=actionStr %> the image
<%=resourceStr %>. <br/>
</c:otherwise>
</c:choose>
isAccessNotAllowed checks if the user is not authorized to access a specific resource. If access is not allowed, display the body of the tag; if it is, skip the body. This is a cooperative and a conditional tag. It will return true or false, and a variable to the body of the JSP that can be used later to process obligations.
Note:
If you want to show JSP content by tag body, the then/else tag must be used. JSP content cannot be written in the tag body directly without using then/else.
Table 8-2 documents the isAccessNotAllowed tag definition.
Table 8-2 isAccessNotAllowed Tag Definition
| Name | Details |
|---|---|
|
resource |
Description: The resource used when calling Mandatory Return Type: not applicable |
|
resourceType |
Description: The type of resource used when calling Optional Return Type: not applicable |
|
action |
Description: The action used when calling Optional Return Type: not applicable |
|
resultVar |
Description: The name of the scripting variable used to tell if access is allowed. Optional Return Type: boolean |
|
resultVarScope |
Description: The scope of the Optional Return Type: not applicable |
|
obligationVar |
Description: The name of the variable used for returning obligations from the Optional Return Type: A map of obligations. The key is the obligation name and the value is a map of attributes with attribute names and values. |
|
obligationVarScope |
Description: The scope of the variable containing obligations from isAccessAllowed (page, request, session, or application). The default scope is page. Optional Return Type: not applicable |
Example 8-2 illustrates how isAccessNotAllowed may be used.
Example 8-2 isAccessNotAllowed Tag Example
<%-- Test for isAccessNotAllowed tag --%>
<oes:isAccessNotAllowed resource="<%=resourceStr %>"
action="<%=actionStr %>" resultVar="isNotAllowed"
obligationVar="obligations_not">
<oes:then>
You have not the permission to <%=actionStr %> the image <%=resourceStr %>.
<br/>
The obligations are: <br/>
<c:forEach items="${obligations_not}" var="entry">
<c:out value="${entry.key}" /> =
<c:out value="${entry.value}" /> <br/>
</c:forEach>
</oes:then>
<oes:else>
You have the permission to <%=actionStr %> the image <%=resourceStr %>.
<br/>
<img src="images/private.jpg" width="250" height="150"/>
The obligations are: <br/>
<c:forEach items="${obligations_not}" var="entry">
<c:out value="${entry.key}" /> =
<c:out value="${entry.value}" /> <br/>
</c:forEach>
</oes:else>
</oes:isAccessNotAllowed>
<%-- another way to use tag isAccessNotAllowed --%>
<oes:isAccessNotAllowed resource="<%=resourceStr %>"
action="<%=actionStr %>" resultVar="isNotAllowed"
obligationVar="obligations_not" />
<c:choose>
<c:when test="${isNotAllowed}">You have not the permission to
<%=actionStr %> the image <%=resourceStr %>. <br/>
</c:when>
<c:otherwise>
You have the permission to <%=actionStr %> the image <%=resourceStr %>. <br/>
<img src="images/private.jpg" width="250" height="150" />
The obligations are: <br/>
<c:forEach items="${obligations}" var="entry">
<c:out value="${entry.key}" /> =
<c:out value="${entry.value}" /> <br/>
</c:forEach>
</c:otherwise>
</c:choose>
getUserRoles retrieves the roles assigned to the user for a particular resource and action. This is a cooperative tag that returns a variable to the JSP that can be used later for processing. Table 8-3 documents the getUserRoles tag definition.
Table 8-3 getUserRoles Tag Definition
| Name | Details |
|---|---|
|
resource |
Description: The resource used when calling Mandatory Return Type: not applicable |
|
resourceType |
Description: The type of resource used when calling Optional Return Type: not applicable |
|
action |
Description: The action used when calling Optional Return Type: not applicable |
|
resultVar |
Description: The name of the variable to set that contains the list of user's roles. Mandatory Return Type: A list of strings of role names. |
|
resultVarScope |
Description: The scope of the Optional Return Type: not applicable |
Example 8-3 illustrates how getUserRoles may be used.
Example 8-3 getUserRoles Tag Example
<%-- Test for tag getUserRoles --%>
<oes:setSecurityContext appId="TagLibraryApp" resourceType="jspfile"
resourcePrefix="">
<oes:attribute name="myroleattr" value="its_my_role"/>
</oes:setSecurityContext>
<oes:getUserRoles resource="protected/rolepolicy.jsp" action="write"
resultVar="rolenames" />
<c:out value="Role names are : " />
<c:forEach items="${rolenames}" var="rolename">
<c:out value="${rolename}" /> <br>
</c:forEach>
isUserInRole checks if the user has been assigned to the specified role for a particular resource and action. This is a cooperative and a conditional tag. It will return true (if the current user has a specific role) or false, and a result variable to the body of the JSP for later processing.
Note:
If you want to show JSP content by tag body, the then/else tag must be used. JSP content cannot be written in the tag body directly without using then/else.
Table 8-4 documents the isUserInRole tag definition.
Table 8-4 isUserInRole Tag Definition
| Name | Details |
|---|---|
|
role |
Description: The name of the role to check against the user. Mandatory Return Type: not applicable |
|
resource |
Description: The name of the resource against which to check the user's roles. Mandatory Return Type: not applicable |
|
resourceType |
Description: The type of resource against which to check the user's roles. If it is not set, the global resource type set by Optional Return Type: not applicable |
|
action |
Description: The resource's action against which the user's role will be checked. The default value will be view. Optional Return Type: not applicable |
|
resultVar |
Description: A variable used to hold the result from Optional Return Type: boolean |
|
resultVarScope |
Description: The scope of the Optional Return Type: not applicable |
Example 8-4 illustrates how isUserInRole may be used.
Example 8-4 isUserInRole Tag Example
<%-- Test for tag isUserInRole --%>
<oes:isUserInRole role="tagrole1" resource="protected/rolepolicy.jsp"
action="write" resultVar="isUserInRole" resultVarScope="request">
<oes:then>You are in the role "tagrole1".</oes:then>
<oes:else>You are not in the role "tagrole1".</oes:else>
</oes:isUserInRole>
<%-- we can also use following scripts to test if the user is in the specific
role --%>
<c:choose>
<c:when test="${isUserInRole}">
<iframe src="protected/rolepolicy.jsp?isUserInRole=<c:out
value='${isUserInRole}'/>" width="500" height="250" />
</c:when>
<c:otherwise>
You are not in role "tagrole1", and can not see the content of
protected/rolepolicy.jsp
</c:otherwise>
</c:choose
Assistant (also known as non-functional) tags are helper tags. The following sections contain information on these assistant tags.
setSecurityContext is a cooperative tag that will set up data (including the application ID, Resource Type and the prefix of the resource name for other tags) in the specified page scope. The attributes that should be set globally in the application context can be set in the body of this tag using the attribute tag (as described in Section 8.3.2, "attribute Tag"). The attributes set by setSecurityContext will then be put into the application context as its authorization call elements. Table 8-5 documents the setSecurityContext tag definition.
Table 8-5 setSecurityContext Tag Definition
| Name | Details |
|---|---|
|
appId |
Description: The Mandatory Return Type: not applicable |
|
resourceType |
Description: The global resource type which can be used by all other authorization tags. Optional Return Type: not applicable |
|
resourcePrefix |
Description: The prefix of the resource name. If most of the resources on one JSP have the same prefix, this attribute can be used to shorten the resource name for each authorization tag. For example, if there are many images protected by the Authorization Policy under Optional Return Type: not applicable |
Example 8-5 illustrates how setSecurityContext may be used.
attribute is a tag that can be used to pass extra variables into the Oracle Entitlements Server application context by other Oracle Entitlements Server JSP tags. These variables will be used to write constraints against Authorization Policies. Table 8-6 documents the attribute tag definition.
Table 8-6 attribute Tag Definition
| Name | Details |
|---|---|
|
name |
Description: The name of the attribute to set in the application context. Mandatory Return Type: not applicable |
|
value |
Description: The value of the attribute to set in the application context. Mandatory Return Type: not applicable |
Example 8-6 illustrates how attribute may be used.
then/else is a tag used for displaying content for conditional tags (including isAccessAllowed, isAccessNotAllowed and isUserInRole. If the result of the conditional tags is true, the content in the tag then is displayed; otherwise the content in the tag else is displayed. These tags are simple tags with no additional definition.