Let me tell you how I do it. It may not be the best way, but works fine for
our system.
I show or hide the links using JSTL, like this:
<c:if test='${sessionScope.incluirProduto == "T"}'>
<td align="right"><a href="javascript:void(0);"
onclick="javascript:enviaAcao();"> <bean:message key="label.add"/></a></td>
</c:if>
That's all it is for the JSP. On each (yes, each) of my actions, I have:
if (up.getLogged()==false){
return mapping.findForward("notLogged");
}
This way he won't access if he goes through the link
On 1/11/06, Rivka Shisman <[EMAIL PROTECTED]> wrote:
>
> Hi again,
>
> Letícia - Does hiding the links mean that I should put a heavy security
> checking code on each such JSP page? Or is there a nicer way?
>
> Gareth - I'm not sure I understand - by "If permission is denied you could
> forward to a different page." - do you mean that if I can have 4 links on my
> JSP page (view,insert,upate,delete), I need to hold 16 (4*4) versions of
> that page where each version shows different combination of links?
>
> Thanks
> Rivka
>
>
> -----Original Message-----
> From: Gareth Evans [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, January 11, 2006 2:59 PM
> To: Struts Users Mailing List
> Subject: Re: Enabling links according to user's authorization
>
> In addition to hiding the links, extend the requestprocessor to check
> against the current user and
> your security table. If permission is denied you could forward to a
> different page.
>
> the best place to do this is in the processPreprocess(HttpServletRequest,
> HttpServletResponse )
> method.
>
> Just hiding the links is not enough.
>
> Gareth
>
>
>
> Letícia Álvares Barbalho wrote:
> > Hide the links.This way, you won't let him lose time trying to access
> things
> > he can't and his view of the interface will be more clear.
> >
> > On 1/11/06, Rivka Shisman <[EMAIL PROTECTED]> wrote:
> >
> >>Hi everyone,
> >>
> >>We have a web application running on Websphere Application Server V6.
> >>Say I have a JSP page that enables working on Student details.
> >>This JSP page enables users to view, insert, update or delete student
> >>records.
> >>Now, some users can only use the 'View' link, others can also use
> >>'Insert' link, and some other users can only update.
> >>
> >>From what i know, i can hold a DB table that indicates for each user and
> >>table - which operations are allowed.
> >>But, my question is - what is the right way to do that on the JSP page?
> >>Do i call this security table on each page load and hide the
> >>unauthorized links? Or, do always show all the links and just let the
> >>database throw an exception and give a message to the user, when he/she
> >>presses an unauthorized link? Or is there a third and better way?
> >>
> >>Thanks
> >>Rivka
> >>
> >>
> >
> >
> >
> > --
> > Letícia Álvares Barbalho
> > [EMAIL PROTECTED]
> >
>
> --
> Gareth Evans
>
> MSoft eSolutions Limited
> Technology Centre
> Inward Way
> Rossmore Business Park
> Ellesmere Port
> Cheshire
> CH65 3EN
>
> --
> Tel: +44 (0)870 0100 704
> Fax: +44 (0)870 9010 705
> E-Mail: [EMAIL PROTECTED]
> Web: www.msoft.co.uk
>
> ----------------------------------------------
> Terms:
> Please note that any prices quoted within this e-mail are subject to VAT.
> All program details and code described in this e-mail are subject to
> copyright (c) of MSoft eSolutions Limited and remain the intellectual
> property of MSoft eSolutions Limited.
> Any proposal or pricing information contained within this e-mail are
> subject to MSoft eSolutions' Terms and Conditions
> ----------------------------------------------
> Disclaimer:
> This message is intended only for use of the addressee. If this message
> was sent to you in error, please notify the sender and delete this
> message. MSoft eSolutions Limited cannot accept responsibility for
> viruses,
> so please scan attachments. Views expressed in this message do not
> necessarily reflect those of MSoft eSolutions Limited who will not
> necessarily be bound by its contents.
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
--
Letícia Álvares Barbalho
[EMAIL PROTECTED]
