Rivka,
Great question. What I have done in the past (and maybe there are better ways)
is to:
1) When the user logs into the application, I cache off the users role as well
as other attributes (usually in a small User object in session). thes
attributes are the result of loading the User and attrs from the Database.
2) I have a Base Action that all the actions in the project extend. In this
base action I have a method to 'set the access level(s) for calling that
action'. The second method is an implementation of the perform method that
first checks the 'access' for the calling user (based on the subclass's set
access level). If that access is denied, then the appropriate forward is used
to indicate a credential error. If it is ok, then I call an abstract perform2
method that the subclass can implement (same signature as perfrom/execute).
When that method returns then I manage any errors (back in the base method) and
return the forward from the subclass.
In this way I have a very simple way to subclass and identify for each Action
an access level(s). I also use a CredentialManagement Class that just does some
bitwise operations so a user can have multiple roles for access. (That may be
overkill for you).
I hope this helps, and if you need further info or code snippets, let me know!
Cheers,
Brian Trzupek
shyam kishore alapati wrote:
While login itself you can have the permissions in the session and based on the permissions
you can hide the links. Just for one variable i think there is no need to call the
database.use can use <logic:presenet> or <logic:equal> for this.
-----Original message-----
From: "Rivka Shisman" [EMAIL PROTECTED]
Date: Wed, 11 Jan 2006 04:18:23 -0800
To: "Struts Users Mailing List" user@struts.apache.org
Subject: Enabling links according to user's authorization
Hi everyone,
We have a web application running on Websphere Application Server V6.
Say I have a JSP page that enables working on Student details.
This JSP page enables users to view, insert, update or delete student
records.
Now, some users can only use the 'View' link, others can also use
'Insert' link, and some other users can only update.
From what i know, i can hold a DB table that indicates for each user and
table - which operations are allowed.
But, my question is - what is the right way to do that on the JSP page?
Do i call this security table on each page load and hide the
unauthorized links? Or, do always show all the links and just let the
database throw an exception and give a message to the user, when he/she
presses an unauthorized link? Or is there a third and better way?
Thanks
Rivka
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
