Rivka,
I have been asked this question many times, so I decided to just add the answer
to my blog. It is there for your enjoyment! Let me know if you need more help.
http://therustednail.blogspot.com/2006/01/role-based-user-authentication-in.html
Thanks,
Brian Trzupek
Blog: http://therustednail.blogspot.com
Rivka Shisman wrote:
Hi Brian,
Thanks for the info.
Please send me the code of the User class, base action class, and an
example action that uses that code.
Thanks a lot
Rivka
-----Original Message-----
From: Brian Trzupek [mailto:[EMAIL PROTECTED]
Sent: Thursday, January 12, 2006 6:01 PM
To: Struts Users Mailing List
Cc: Rivka Shisman
Subject: Re: Enabling links according to user's authorization
Rivka,
Great question. What I have done in the past (and maybe there are better
ways) is to:
1) When the user logs into the application, I cache off the users role
as well as other attributes (usually in a small User object in session).
thes attributes are the result of loading the User and attrs from the
Database.
2) I have a Base Action that all the actions in the project extend. In
this base action I have a method to 'set the access level(s) for calling
that action'. The second method is an implementation of the perform
method that first checks the 'access' for the calling user (based on the
subclass's set access level). If that access is denied, then the
appropriate forward is used to indicate a credential error. If it is ok,
then I call an abstract perform2 method that the subclass can implement
(same signature as perfrom/execute). When that method returns then I
manage any errors (back in the base method) and return the forward from
the subclass.
In this way I have a very simple way to subclass and identify for each
Action an access level(s). I also use a CredentialManagement Class that
just does some bitwise operations so a user can have multiple roles for
access. (That may be overkill for you).
I hope this helps, and if you need further info or code snippets, let me
know!
Cheers,
Brian Trzupek
shyam kishore alapati wrote:
While login itself you can have the permissions in the session and
based on the permissions you can hide the links. Just for one variable i
think there is no need to call the database.use can use <logic:presenet>
or <logic:equal> for this.
-----Original message-----
From: "Rivka Shisman" [EMAIL PROTECTED]
Date: Wed, 11 Jan 2006 04:18:23 -0800
To: "Struts Users Mailing List" user@struts.apache.org
Subject: Enabling links according to user's authorization
Hi everyone,
We have a web application running on Websphere Application Server V6.
Say I have a JSP page that enables working on Student details.
This JSP page enables users to view, insert, update or delete student
records.
Now, some users can only use the 'View' link, others can also use
'Insert' link, and some other users can only update.
From what i know, i can hold a DB table that indicates for each user
and
table - which operations are allowed.
But, my question is - what is the right way to do that on the JSP
page?
Do i call this security table on each page load and hide the
unauthorized links? Or, do always show all the links and just let the
database throw an exception and give a message to the user, when
he/she
presses an unauthorized link? Or is there a third and better way?
Thanks
Rivka
