On 3/3/06, Craig McClanahan <[EMAIL PROTECTED]> wrote:
> On 3/3/06, James Reynolds <[EMAIL PROTECTED]> wrote:
> >
> > Allow me to refine my question. I'm wondering if the Shale filter is
> > intercepting requests to the container. Do I need to adjust the filter
> > mapping? Is there an FM somewhere that I should R?
>
>
> Shale's filters do indeed intercept whatever requests it is mapped to, but
> there are two important things to understand with respect to container
> managed security:
>
> * Container managed security is applied *before* any filters
> (including the one that Shale provides).
>
> * Container managed security is applied *only* on the
> initial request, not on RequestDispatcher.forward() calls.
> In JSF (and therefore Shale) apps, that means you can
> protect the incoming form submits (they will be mapped
> to something like "/editCustomer.jsf" if you are using
> extension mapping, and the page being submitted was
> "/editCustomer.jsp").
>
> The second issue means that it is your application's responsibility to
> decide whether or not the user should be allowed to navigate to a particular
> page. Container managed security won't help you there. That being said, it
> might be interesting for Shale to deliver a custom JSF navigation handler
> that would optionally impose that sort of control ("only a manager can
> navigate to the salary details page").
Where I work we also protect data as well as actions/pages - something
along the lines "only a managers can navigate to the salary details
page - and only for people in his/her department". We also have
different levels of data access for different groups of functions -
for example a manager might be allowed to navigate to the "next of
kin" page for any employee at his location, but only the salary
details for his department. We also have the facility (in Struts
Action this is) to disable at various levels - we can disable an
individual action/page, user, role or area of data (e.g. the manager's
department).
If something like this is developed then it shouldn't be tied to
container managed security (i.e. request.isUserInRole()) and should be
easy to plug in custom implementations which could cater for other
scenarios/criteria, such as the above.
Sorry, just wanted to put in my 2cents, in case someone actually does
something about this - that way when I move to Shale.... :-)
Niall
> Craig
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
