Hi Daniel,
Daniel Lopez wrote:
>
> It might be that I haven't really understood how security is specified in JSDK2.2 but
> how would you solve the case of having two diferent users(with different privileges)
> accessing two different sets of data(which require different roles) using the same
> servlet/JSP(which means the same URL with different request parameters)? A basic
> example, several users accesing their own preferences for an application. You don't
>want
> one user to see the preferences of another user and you don't want to create a
>diferent
> JSP for each user.
You should clearly distinguish between privileges and data! Roles are essentially a
number
of privileges defined by you. If role "my_role" has the privilege "modify_preferences"
your
business logic should load preferences based on the user using getUserPrincipal() and
enable
the privileges screen.
> Given the JSDK2.2 spec, the only solution I can think of, is using
> "isUserInRole()" inside the JSP or the servlet to check whether the parameters match
>the
> authenticated user, so we are back again to mixing security and business logic. Am I
> missing something?
Privileges are unfortunately not abstracted by the servlet api. Which means that your
user
interface has lots of ugly statements where you need to check all roles which may use a
feature of your application. It is even worse when you add a role into an existing
application. Then you need to adjust all screens where the role is used.
<% if ( request.isUserInRole( "viewer" )
|| request.isUserInRole( "customer" )
|| request.isUserInRole( "administrator" ) ) { %>
<A href="...">Modify preferences</A>
<% } %>
When you base you user interface on privileges instead you only need to change the
code when
you add features to your application.
<% if ( request.hasPrivilege( "modify_preferences" ) ) { %>
<A href="...">Modify preferences</A>
<% } %>
> And, if I'm not mistaken, you'll have to redeploy the security part of your
>application
> every time you change from one container to another. And that's something you didn't
> have to do before.
I don't think this is true as all 2.2 compatible containers will probably use the same
method on how to declare the user/roles.
>
>
> Comments appreaciated,
> Dan
> -------------------------------------------
> Daniel Lopez Janariz ([EMAIL PROTECTED])
> Web Services
> Computer Center
> Balearic Islands University
> -------------------------------------------
>
best regards,
Janco
------------------------------------------------------------
COAS, Your partner in computer aided services
Nijverheidsweg 34 Tel: +31 (0) 187 49 3222
Postbus 44 Fax: +31 (0) 187 49 2912
3250 AA Stellendam Email: [EMAIL PROTECTED]
===========================================================================
To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST".
Some relevant FAQs on JSP/Servlets can be found at:
http://java.sun.com/products/jsp/faq.html
http://www.esperanto.org.nz/jsp/jspfaq.html
http://www.jguru.com/jguru/faq/faqpage.jsp?name=JSP
http://www.jguru.com/jguru/faq/faqpage.jsp?name=Servlets
