Hi Jesse,
With your solution, we`d have to create a different JSP page for every user role,
which might useful sometimes, but not always. Craig`s idea, and mine also, is to hidde
some parts of the UI depending on the role of the user,
accessing the SAME JSP page. So you can save some code. So I agree with him on this
one :). But for some cases, it could be useful, yes. I actually do something like that
in my controller servlet.
Thanks for the feedback,
Dan
Jesse Clark wrote:
>
> "Craig R. McClanahan" :
> > That's exactly what isUserInRole() is for -- to let you vary the response
> > based on the
> > security permissions of the current user. So, to show a chunk of your JS=
> P
> > page only to
> > managers, you would do something like this:
>
> > <% if (request.isUserInRole("manager")) { %>
> > ... the output that only managers should see ...
> > <% } %>
> > To me, this counts as "presentation logic" rather than "business logic",
> > because nothing in
> > the underlying business model (in your beans) is affected. However, if y=
> ou
> > don't like
> > scriptlets embedded in your JSP pages, you can also write a custom tag to
> > accomplish this
> > -- perhaps it would end up looking like:
> >=20
> > <mytags:rolecheck role=3D"manager">
> > ... the output that only managers should see ...
> > </mytags:rolecheck>
> >=20
>
> Alternately you could have a security controller servlet perform the
> isUserInRole() check and then forward to a jsp that would display the
> correct view. Then you wouldn't have to build a custom tag.
>
> -jesse
>
===========================================================================
To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST".
Some relevant FAQs on JSP/Servlets can be found at:
http://java.sun.com/products/jsp/faq.html
http://www.esperanto.org.nz/jsp/jspfaq.html
http://www.jguru.com/jguru/faq/faqpage.jsp?name=JSP
http://www.jguru.com/jguru/faq/faqpage.jsp?name=Servlets
