Hi Janco,
Janco Tanis wrote:
> Hi Daniel,
>
> Daniel Lopez wrote:
>
> >
> > It might be that I haven't really understood how security is specified in JSDK2.2
>but
> > how would you solve the case of having two diferent users(with different
>privileges)
> > accessing two different sets of data(which require different roles) using the same
> > servlet/JSP(which means the same URL with different request parameters)? A basic
> > example, several users accesing their own preferences for an application. You
>don't want
> > one user to see the preferences of another user and you don't want to create a
>diferent
> > JSP for each user.
>
> You should clearly distinguish between privileges and data! Roles are essentially a
>number
> of privileges defined by you.
I don't exactly get the meaning of this comment. I can distinguish quite clearly
between data
and privileges ;).
I'm just saying that, in my example, one privilege meant "being able to access this
data" and
another privilege
meant "accessing this other data".
> If role "my_role" has the privilege "modify_preferences" your
> business logic should load preferences based on the user using getUserPrincipal()
>and enable
> the privileges screen.
But what happens if you have an administrator that has to be able to see other
people's data?
How about some users being able to modify or just see but not modifying other people's
data? I
agree this is a good solution for some cases but I can't see how you can cover all the
cases
with this approach.
> > Given the JSDK2.2 spec, the only solution I can think of, is using
> > "isUserInRole()" inside the JSP or the servlet to check whether the parameters
>match the
> > authenticated user, so we are back again to mixing security and business logic. Am
>I
> > missing something?
>
> Privileges are unfortunately not abstracted by the servlet api. Which means that
>your user
> interface has lots of ugly statements where you need to check all roles which may
>use a
> feature of your application. It is even worse when you add a role into an existing
> application. Then you need to adjust all screens where the role is used.
>
> <% if ( request.isUserInRole( "viewer" )
> || request.isUserInRole( "customer" )
> || request.isUserInRole( "administrator" ) ) { %>
> <A href="...">Modify preferences</A>
> <% } %>
>
> When you base you user interface on privileges instead you only need to change the
>code when
> you add features to your application.
>
> <% if ( request.hasPrivilege( "modify_preferences" ) ) { %>
> <A href="...">Modify preferences</A>
> <% } %>
I don't see clearly the advantage of the second approach. I mean if you have a Role
"Administrator" that is the only one
able to modify the preferences, then it's as in the same case. And if you decide to
split a
permission into different sub-permissions (because you created a new role that has
limited
access, for example). You would also have to change/revise all the places where you
have used
the global privilege, so I see no big approach in here. It depends on how you define
Roles/Privileges inside your security architecture, so I see no inherent advantage in
using one
method over the other.
> > And, if I'm not mistaken, you'll have to redeploy the security part of your
>application
> > every time you change from one container to another. And that's something you
>didn't
> > have to do before.
>
> I don't think this is true as all 2.2 compatible containers will probably use the
>same
> method on how to declare the user/roles.
I'm afraid you're wrong in this one. The specificaition says quite clearly that this
is a
container-specific issue, and even though I've been told that some efforts are being
directed
towards adding this to the specification, it's not there yet. That's why I'm talking
about it,
I want it to be there :).
> best regards,
> Janco
> ------------------------------------------------------------
> COAS, Your partner in computer aided services
>
> Nijverheidsweg 34 Tel: +31 (0) 187 49 3222
> Postbus 44 Fax: +31 (0) 187 49 2912
> 3250 AA Stellendam Email: [EMAIL PROTECTED]
Thanks for your comments,
Dan
-------------------------------------------
Daniel Lopez Janariz ([EMAIL PROTECTED])
Web Services
Computer Center
Balearic Islands University
-------------------------------------------
===========================================================================
To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST".
Some relevant FAQs on JSP/Servlets can be found at:
http://java.sun.com/products/jsp/faq.html
http://www.esperanto.org.nz/jsp/jspfaq.html
http://www.jguru.com/jguru/faq/faqpage.jsp?name=JSP
http://www.jguru.com/jguru/faq/faqpage.jsp?name=Servlets
