Well, of course each action should have its control of the access. I meant: hide the links and control through the actions, so no one will access them with a direct link.
On 1/11/06, Thomas Joseph <[EMAIL PROTECTED]> wrote: > > > Hide the links.This way, you won't let him lose time trying to access > things > > he can't and his view of the interface will be more clear. > > > But that won't do good, if for clever people, who would play with the URLs > with their limited access rights and access what is not meant for them. > Probably encoding URLs could do some help in that way. > > In this mailing list , often people post doubts related to general > architecture and practices. However the list is too good to answer almost > all of them, but still people would like to know where they can have a > mailing list to know the "Best Practices" as such. Can anyone help out > here!!? > > Thanks > > Thomas Joseph > > > On 1/11/06, Rivka Shisman <[EMAIL PROTECTED]> wrote: > > > > > > Hi everyone, > > > > > > We have a web application running on Websphere Application Server V6. > > > Say I have a JSP page that enables working on Student details. > > > This JSP page enables users to view, insert, update or delete student > > > records. > > > Now, some users can only use the 'View' link, others can also use > > > 'Insert' link, and some other users can only update. > > > > > > From what i know, i can hold a DB table that indicates for each user > and > > > table - which operations are allowed. > > > But, my question is - what is the right way to do that on the JSP > page? > > > Do i call this security table on each page load and hide the > > > unauthorized links? Or, do always show all the links and just let the > > > database throw an exception and give a message to the user, when > he/she > > > presses an unauthorized link? Or is there a third and better way? > > > > > > Thanks > > > Rivka > > > > > > > > > -- > Letícia Álvares Barbalho > [EMAIL PROTECTED] > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > -- Letícia Álvares Barbalho [EMAIL PROTECTED]