Daniel Lopez wrote:
> Hi Craig,
>
> Now that you mention security and the new specification JSKD2.2...
>
> "Craig R. McClanahan" escribi�:
>
> > ...<snip>
>
> > For security, I've taken two different approaches:
> >
> > * In servlet containers that do not support the 2.2 servlet API, I add a little
> > scriptlet that checks the user's session for existence of a LoginBean, and
> > does a <jsp:forward> to the login page if it is missing. The bean would be
> > missing on a new session, if the user's old session timed out (and a new one
> > was created), or after a logoff (where I invalidate the session).
> >
> > * Now that the 2.2 servlet spec lets you define security constraints for
> > URL paths (in much the same way you can configure protection on
> > sets of static content in a web server), I'm going to let the container
> > worry about security -- I will never have to write a login page or check
> > scriptlet again; all I need to worry about is configuring the servlet
> > container on how to look up usernames and roles.
> >
>
> It might be that I haven't really understood how security is specified in JSDK2.2 but
> how would you solve the case of having two diferent users(with different privileges)
> accessing two different sets of data(which require different roles) using the same
> servlet/JSP(which means the same URL with different request parameters)? A basic
> example, several users accesing their own preferences for an application. You don't
>want
> one user to see the preferences of another user and you don't want to create a
>diferent
> JSP for each user. Given the JSDK2.2 spec, the only solution I can think of, is using
> "isUserInRole()" inside the JSP or the servlet to check whether the parameters match
>the
> authenticated user, so we are back again to mixing security and business logic. Am I
> missing something?
>
That's exactly what isUserInRole() is for -- to let you vary the response based on the
security permissions of the current user. So, to show a chunk of your JSP page only to
managers, you would do something like this:
<% if (request.isUserInRole("manager")) { %>
... the output that only managers should see ...
<% } %>
To me, this counts as "presentation logic" rather than "business logic", because
nothing in
the underlying business model (in your beans) is affected. However, if you don't like
scriptlets embedded in your JSP pages, you can also write a custom tag to accomplish
this
-- perhaps it would end up looking like:
<mytags:rolecheck role="manager">
... the output that only managers should see ...
</mytags:rolecheck>
>
> And, if I'm not mistaken, you'll have to redeploy the security part of your
>application
> every time you change from one container to another. And that's something you didn't
> have to do before.
>
In the sense that every container has their own implementation, you're correct ... you
are
going to need to code it differently for each platform, because the interface between
platform and security realm is not standardized (progress in that direction would be
good
IMHO). However, it's still a good tradeoff in terms of overall development effort,
versus
all the stuff you have to build in to a servlet/JSP app to do it all yourself.
>
> Comments appreaciated,
> Dan
Craig
===========================================================================
To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST".
Some relevant FAQs on JSP/Servlets can be found at:
http://java.sun.com/products/jsp/faq.html
http://www.esperanto.org.nz/jsp/jspfaq.html
http://www.jguru.com/jguru/faq/faqpage.jsp?name=JSP
http://www.jguru.com/jguru/faq/faqpage.jsp?name=Servlets
