Re: Proposal for form-based security

Mon, 03 Dec 2001 08:58:27 -0800 

Hello Matt,

Controling pages look and feel according to users roles is also exactely what I need 
and 
what I am currently working on.
The solution you suggest is interesting because it is simple and covers most cases.

However I am looking for a solution that
1 - would keep the security information around the controller rather than around the 
forms,
2 - could be extended so that the look and feel control could be based on session 
level 
or context level information other than pure security,
3 - would be open enough so that almost any page layout information could change 
depending on security.

My suggestion would be to:

A) declare the fields configurations as form options rather than as security 
constraints, 
this would look like

<form-bean     name="firstForm"
                   type="org.apache.struts.webapp.example.FirstForm">
       <options>
         <option name="editableAddress"
                 <fields="street,city,zip" type="write"/>
                 <fields="adressUpdate" type="enable"/>
         </option>    
         <option name="readOnlyAdress"
                 <fields="street,city,zip" type="readOnly"/>
                 <fields="adressUpdate" type="disable"/>
         </option>
         <option name="simplifiedReadOnlyAddress"
                 <fields="street,zip" type="invisible"/>
                 <fields="adressUpdate" type="invisible"/>
         </option>
       </options>

</form-bean>


B) associate the security "roles" information to the action forward definition and to 
the 
form options, this would look like:

     <action path="/getAddress" type="GetAddressAction" 
roles="addressManagement,addressBrowsing,simpleViewing">
               <forward name="success" path="/address.jsp">
                    <security roles="addressManagement" options="editableAddress" >
                    <security roles="addressBrowsing" options="readOnlyAddress">
                    <security roles="simpleViewing" 
options="simplifiedReadOnlyAddress">
               </forward>
     </action>

C) provide form option reading/checking tags so that any JSP page code could rely on 
form 
options.


I have not considered implementation yet. But though it would be more complex than 
your 
proposal, I have not identified design level obstacles.

What do you think of my needs ? of my proposal ?

thanks in advance.

Michel





--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

Reply via email to