On 4/22/05, Dick Starr <[EMAIL PROTECTED]> wrote: > I am new to both Struts and web applications and in fact am writing my > very first web application, so I may not understand how this all works. > In the app it's possible for more than one user to be on the same PC > (e.g. a user needs their supervisor to log on to the app as a higher > security user to do something that the user can't do).
So, as a client story, the key issue is that: "Sometimes, a user needs their supervisor to authorize an unusual transaction." Most of us have probably seen this happen at the grocery story. The clerk needs to credit something and turns on the flashing light. The front end manager strolls over, inserts a key into the register, or taps in a code, so that the clerk can issue the credit. If we are writing the application with the servlet API, we might be tempted to piggy-back the authorization by having the supervisor login to a separate window, so that the clerk can complete the transaction using the supervisor's credentials. If we are writing the application *into* the servlet API, we might instead issue our own override code and make it an expected element of the request. If this is the case, then the simplest thing would be to add a table to the database (or map to application scope) that could store authorization keys and the other salient details about the transaction. When such a transaction is needed, the clerk steps through a wizard that asks for a supervisor ID. But the ID is not used for a login, but to obtain a GUID. one copy of the GUID is stored in the database, and the other is stored as a hidden field in the request. Later, when the transaction is submitted, the business logic compares the authorization code (GUID) against the table. If it matches, then the transaction can continue, and the code can be marked as used. This is the same pattern that Struts uses to foil double-submits. HTH, Ted. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
