?D ??? ??? ?" #*? ???
??P
??????? ??
?
??
??? ??
Content-type: text/plain; charset="ISO-8859-1"
Content-transfer-encoding: quoted-printable
Dan,
You are correct about my suggestion requiring extra coding. I suppose I
should have qualified my comment a little more. IMHO it would be better to
have the controller servlet call the isUserInRole() and then forward to a
different jsp based on the role when you are working with a design team tha=
t
is not exceptionally jsp savvy. In some circumstances I don't know if I
would want to give page designers access to the taglib that was going to be
controlling security.
I can understand Craig's comment that in some situations isUserInRole()
could qualify as "presentation logic." However, as a developer who is
ultimately responsible for security concerns, I would rather do a little
extra coding to handle all the security issues as part of the "business
logic"(controller) and then let the designers handle the jsp to make sure
that the proper content(model) was displayed on the role-specific jsp
pages(views).
This, however, is just how I am reacting to the development environment tha=
t
I work in and does not really represent an effiecient security
implementation.
Now back to you're regular broadcasting.
-jesse
Daniel Lopez escrib=F3:
>=20
> Hi Jesse,
>=20
> With your solution, we`d have to create a different JSP page for every us=
er
> role, which might useful sometimes, but not always. Craig`s idea, and min=
e
> also, is to hidde some parts of the UI depending on the role of the user,
> accessing the SAME JSP page. So you can save some code. So I agree with h=
im on
> this one :). But for some cases, it could be useful, yes. I actually do
> something like that in my controller servlet.
>=20
> Thanks for the feedback,
> Dan
>=20
> Jesse Clark wrote:
>=20
>>=20
>> "Craig R. McClanahan" :
>>> That's exactly what isUserInRole() is for -- to let you vary the respon=
se
>>> based on the
>>> security permissions of the current user. So, to show a chunk of your =
JS=3D
>> P
>>> page only to
>>> managers, you would do something like this:
>=20
>>=20
>>> <% if (request.isUserInRole("manager")) { %>
>>> ... the output that only managers should see ...
>>> <% } %>
>>> To me, this counts as "presentation logic" rather than "business logic"=
,
>>> because nothing in
>>> the underlying business model (in your beans) is affected. However, if=
y=3D
>> ou
>>> don't like
>>> scriptlets embedded in your JSP pages, you can also write a custom tag =
to
>>> accomplish this
>>> -- perhaps it would end up looking like:
>>> =3D20
>>> <mytags:rolecheck role=3D3D"manager">
>>> ... the output that only managers should see ...
>>> </mytags:rolecheck>
>>> =3D20
>>=20
>> Alternately you could have a security controller servlet perform the
>> isUserInRole() check and then forward to a jsp that would display the
>> correct view. Then you wouldn't have to build a custom tag.
>>=20
>> -jesse
>>=20
>=20
>=20
===========================================================================
To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST".
Some relevant FAQs on JSP/Servlets can be found at:
http://java.sun.com/products/jsp/faq.html
http://www.esperanto.org.nz/jsp/jspfaq.html
http://www.jguru.com/jguru/faq/faqpage.jsp?name=JSP
http://www.jguru.com/jguru/faq/faqpage.jsp?name=Servlets
