RE: Fine Grained Access Control in Sturts

Thu, 20 Mar 2003 12:34:10 -0800 

I've used something like you describe, thought not unique to struts,
prototype similar to this:

 <tagname:if authorized="true">
   <link/>
 </tagname>

 A few issues / unresolved items were that it didn't by itself provide a
good way to do granular authorization for many UI items. For example if you
had several links on a page that you wanted to protect, you had to code this
tag around each link, each one may have unique security requirements. It can
become a maintenance hassle.

 Second was that sometimes I found myself testing the same thing a couple
times on a page. This instance may have been unique to this application, but
I would have like to cache a previous check on the same page so as not to
have to make calls all the way down the wire to see if the test was true.


-----Original Message-----
From: Mike Duffy [mailto:[EMAIL PROTECTED]
Sent: Thursday, March 20, 2003 3:23 PM
To: [EMAIL PROTECTED]
Subject: Fine Grained Access Control in Sturts


Does anyone have any thoughts on fine grained access control in
Struts?

Struts enables access control based on actions (see Struts in
Action, Husted, et. al., pp 550-553), and most application servers
can protect resources based on realms/roles.

But what about display options based on roles.  For example, if you
only wanted an Admin link to appear if the user was an
administrator, what would be the best way to do this?

You could make the role an attribute of the user object and then do
a logic test for the appropriate role.  Or it might be even better to
write a logic tag that takes the user role as an attribute.  Any
thoughts?

Thanks for your consideration.

BTW.  The Husted book is a very good book.

Mike


__________________________________________________
Do you Yahoo!?
Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop!
http://platinum.yahoo.com

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to