Let me tell you how I do it. It may not be the best way, but works fine for our system. I show or hide the links using JSTL, like this:
<c:if test='${sessionScope.incluirProduto == "T"}'> <td align="right"><a href="javascript:void(0);" onclick="javascript:enviaAcao();"> <bean:message key="label.add"/></a></td> </c:if> That's all it is for the JSP. On each (yes, each) of my actions, I have: if (up.getLogged()==false){ return mapping.findForward("notLogged"); } This way he won't access if he goes through the link On 1/11/06, Rivka Shisman <[EMAIL PROTECTED]> wrote: > > Hi again, > > Letícia - Does hiding the links mean that I should put a heavy security > checking code on each such JSP page? Or is there a nicer way? > > Gareth - I'm not sure I understand - by "If permission is denied you could > forward to a different page." - do you mean that if I can have 4 links on my > JSP page (view,insert,upate,delete), I need to hold 16 (4*4) versions of > that page where each version shows different combination of links? > > Thanks > Rivka > > > -----Original Message----- > From: Gareth Evans [mailto:[EMAIL PROTECTED] > Sent: Wednesday, January 11, 2006 2:59 PM > To: Struts Users Mailing List > Subject: Re: Enabling links according to user's authorization > > In addition to hiding the links, extend the requestprocessor to check > against the current user and > your security table. If permission is denied you could forward to a > different page. > > the best place to do this is in the processPreprocess(HttpServletRequest, > HttpServletResponse ) > method. > > Just hiding the links is not enough. > > Gareth > > > > Letícia Álvares Barbalho wrote: > > Hide the links.This way, you won't let him lose time trying to access > things > > he can't and his view of the interface will be more clear. > > > > On 1/11/06, Rivka Shisman <[EMAIL PROTECTED]> wrote: > > > >>Hi everyone, > >> > >>We have a web application running on Websphere Application Server V6. > >>Say I have a JSP page that enables working on Student details. > >>This JSP page enables users to view, insert, update or delete student > >>records. > >>Now, some users can only use the 'View' link, others can also use > >>'Insert' link, and some other users can only update. > >> > >>From what i know, i can hold a DB table that indicates for each user and > >>table - which operations are allowed. > >>But, my question is - what is the right way to do that on the JSP page? > >>Do i call this security table on each page load and hide the > >>unauthorized links? Or, do always show all the links and just let the > >>database throw an exception and give a message to the user, when he/she > >>presses an unauthorized link? Or is there a third and better way? > >> > >>Thanks > >>Rivka > >> > >> > > > > > > > > -- > > Letícia Álvares Barbalho > > [EMAIL PROTECTED] > > > > -- > Gareth Evans > > MSoft eSolutions Limited > Technology Centre > Inward Way > Rossmore Business Park > Ellesmere Port > Cheshire > CH65 3EN > > -- > Tel: +44 (0)870 0100 704 > Fax: +44 (0)870 9010 705 > E-Mail: [EMAIL PROTECTED] > Web: www.msoft.co.uk > > ---------------------------------------------- > Terms: > Please note that any prices quoted within this e-mail are subject to VAT. > All program details and code described in this e-mail are subject to > copyright (c) of MSoft eSolutions Limited and remain the intellectual > property of MSoft eSolutions Limited. > Any proposal or pricing information contained within this e-mail are > subject to MSoft eSolutions' Terms and Conditions > ---------------------------------------------- > Disclaimer: > This message is intended only for use of the addressee. If this message > was sent to you in error, please notify the sender and delete this > message. MSoft eSolutions Limited cannot accept responsibility for > viruses, > so please scan attachments. Views expressed in this message do not > necessarily reflect those of MSoft eSolutions Limited who will not > necessarily be bound by its contents. > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > -- Letícia Álvares Barbalho [EMAIL PROTECTED]