Hi Gareth Can you please send me an example of the <customtags:checkpermission> tag? And also an example of how to change the request processor?
Thanks a lot Rivka -----Original Message----- From: Gareth Evans [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 11, 2006 3:25 PM To: Struts Users Mailing List Subject: Re: Enabling links according to user's authorization Hi Rivka, You could hide the links by creating a custom tag that only evaluates its body content if the current user has the required permission. e.g. <customtags:checkpermission key="VIEW_STUDENT_RECORD"> <html:link action="view..."View</html:link> </customtags:checkpermission> <customtags:checkpermission key="UPDATE_STUDENT_RECORD"> <html:link action="update..."Update</html:link> </customtags:checkpermission> <customtags:checkpermission key="DELETE_STUDENT_RECORD"> <html:link action="delete..."Delete</html:link> </customtags:checkpermission> But in addition to this you could stop the request from taking place at the requestprocessor level. i.e. in case somebody guesses the link. Gareth Rivka Shisman wrote: > Hi again, > > Letícia - Does hiding the links mean that I should put a heavy security > checking code on each such JSP page? Or is there a nicer way? > > Gareth - I'm not sure I understand - by "If permission is denied you could > forward to a different page." - do you mean that if I can have 4 links on my > JSP page (view,insert,upate,delete), I need to hold 16 (4*4) versions of that > page where each version shows different combination of links? > > Thanks > Rivka > > > -----Original Message----- > From: Gareth Evans [mailto:[EMAIL PROTECTED] > Sent: Wednesday, January 11, 2006 2:59 PM > To: Struts Users Mailing List > Subject: Re: Enabling links according to user's authorization > > In addition to hiding the links, extend the requestprocessor to check against > the current user and > your security table. If permission is denied you could forward to a > different page. > > the best place to do this is in the processPreprocess(HttpServletRequest, > HttpServletResponse ) > method. > > Just hiding the links is not enough. > > Gareth > > > > Letícia Álvares Barbalho wrote: > >>Hide the links.This way, you won't let him lose time trying to access things >>he can't and his view of the interface will be more clear. >> >>On 1/11/06, Rivka Shisman <[EMAIL PROTECTED]> wrote: >> >> >>>Hi everyone, >>> >>>We have a web application running on Websphere Application Server V6. >>>Say I have a JSP page that enables working on Student details. >>>This JSP page enables users to view, insert, update or delete student >>>records. >>>Now, some users can only use the 'View' link, others can also use >>>'Insert' link, and some other users can only update. >>> >> >>>From what i know, i can hold a DB table that indicates for each user and >> >>>table - which operations are allowed. >>>But, my question is - what is the right way to do that on the JSP page? >>>Do i call this security table on each page load and hide the >>>unauthorized links? Or, do always show all the links and just let the >>>database throw an exception and give a message to the user, when he/she >>>presses an unauthorized link? Or is there a third and better way? >>> >>>Thanks >>>Rivka >>> >>> >> >> >> >>-- >>Letícia Álvares Barbalho >>[EMAIL PROTECTED] >> > > -- Gareth Evans MSoft eSolutions Limited Technology Centre Inward Way Rossmore Business Park Ellesmere Port Cheshire CH65 3EN -- Tel: +44 (0)870 0100 704 Fax: +44 (0)870 9010 705 E-Mail: [EMAIL PROTECTED] Web: www.msoft.co.uk ---------------------------------------------- Terms: Please note that any prices quoted within this e-mail are subject to VAT. All program details and code described in this e-mail are subject to copyright © of MSoft eSolutions Limited and remain the intellectual property of MSoft eSolutions Limited. Any proposal or pricing information contained within this e-mail are subject to MSoft eSolutions' Terms and Conditions ---------------------------------------------- Disclaimer: This message is intended only for use of the addressee. If this message was sent to you in error, please notify the sender and delete this message. MSoft eSolutions Limited cannot accept responsibility for viruses, so please scan attachments. Views expressed in this message do not necessarily reflect those of MSoft eSolutions Limited who will not necessarily be bound by its contents. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
