On 3/17/06, Mark Lowe <[EMAIL PROTECTED]> wrote: >Hang on!!! You've an admin form where you have dynamic roles, right? >And you've no means of knowing what these will be.. And what they are >denying access to.. Doing this with your proposed taglib wont help >solve this.. Your tag or jsp bean is going to have to ask the database >which roles have what access to a given page. Right! that was what I was going to do , but you scared me!
I don't understand why I need a reference to the user action/jsp in the database Roles are dynamic, relationships between roles and permissions are dynamic too, but permissions on jsp and single objects of jsp are static. In my jsp, I fix statically which permissions are . My taglib just has to verify if the user has one of the role with specified permissions(perm1 , perm2) querying the database to decide if to show the page, if to show a denying message, or show fields editable or not. Alessandro On 3/17/06, Mark Lowe <[EMAIL PROTECTED]> wrote: > > On 3/17/06, Alessandro Colantoni <[EMAIL PROTECTED]> wrote: > > Hi! again!! > > Of course I'm Italian, but at moment I'm living in Spain for work, so > just > > the same continent .! > > At the end I will choose the jsp solution with taglib (I'm gonna write > my > > permission taglib now!) 'cause reference pages in database can be too > much > > work and in some case I have permissions at field level. > > I think I yet found the solution to make such a taglib generic to re use > in > > all future applications > > I'll do something like that > > <permissions:present list="perm1,perm2,perm3"> > > <!-- write your jsp piece --> > > </permissions:present> > > <permissions:notPresent list="perm1,perm2,perm3"> > > <!-- write your jsp piece --> > > </permissions:notPresent > > > Hang on!!! You've an admin form where you have dynamic roles, right? > And you've no means of knowing what these will be.. And what they are > denying access to.. Doing this with your proposed taglib wont help > solve this.. Your tag or jsp bean is going to have to ask the database > which roles have what access to a given page.. > > Your stuck needing a reference to the user action/jsp in the database. > You could have a properties file mapping jsp's to a key and keep that > in the db. But you're going to need this to have truely dynamic roles > to view access control.. > > Mark > > > > > That seems more easy to maintain cause in my application I have just to > > maintain the relationship between roles and permissions > > > > Thanks a lot for your help! I hope you enjoy in my country > > Alessandro > > > > > > > > On 3/17/06, Mark Lowe <[EMAIL PROTECTED]> wrote: > > > > > > On 3/17/06, Mark Lowe <[EMAIL PROTECTED]> wrote: > > > > On 3/17/06, Alessandro Colantoni <[EMAIL PROTECTED]> > wrote: > > > > > Hi! and good morning (but probably we 're on different continents) > > > > > > Assiming you're in italy, we're in the same country.. > > > > > > > > > > > > > I don't undertand the last pos where you say. > > > > > >I had the impression he already had.. I don't get how posting > this > > > > > >helps, i must have misunderstood something.. Can you explain > please? > > > > > > > > > > Anyway thanks for accurate explication. > > > > > I'll go studing how to write the filter class > > > > > I think that as you say the right way is to have at least one role > > > mapped on > > > > > web.xml, forbid to delete it from database and ensure all user > have > > > this > > > > > rol. > > > > > So I can still use the yet configured container based > authentication. > > > > > Than check for permission in each page in the filter class, or, i > was > > > > > thinking check it directly in the jsp. > > > > > I was thinking write a taglib to do so. (that should check if the > user > > > has > > > > > at least a role that has at least one of the permissions for this > > > page) > > > > > Wich is the difference between jsp solution and filter class > solution? > > > > > Is filter class more secure? > > > > > > I did forget to outline the advantages of defining this stuff in jsp.. > > > You don't need to have a reference to the page in your database.. > > > Which i guess is a big advantage.. Again its your choice.. > > > > > > Mark > > > > > > > > > > > Its more secure in that you don't depend on jsp folk on getting it > > > > right, given that your having to do some view controller stuff in > your > > > > db it would seem a shame not to control this in a filter... You can > > > > also disactivate the filter during development and let jsp folk > write > > > > decent markup, without giving them the secondary problem of secuirty > > > > logic. > > > > > > > > You could just write a simple bean (as an other option) and use the > > > > trusty useBean tag, but you'll be depending on jsp folk on getting > > > > this right.. A filter is just tidier.. > > > > > > > > > > > > > Thanks a lot > > > > > Ciao! > > > > > > > > > > PS . good italian. What does it mean schete? > > > > My bad spelling for "scelte" > > > > > > > > mark > > > > > > > > > > > > > > > > > > > > > > > > > > > > On 3/17/06, Mark Lowe <[EMAIL PROTECTED]> wrote: > > > > > > > > > > > > On 3/17/06, Mark Space <[EMAIL PROTECTED]> wrote: > > > > > > > Alessandro Colantoni wrote: > > > > > > > > > > > > > > > Thanks for rapid answer! > > > > > > > >What do you mean with filter the roles of second level. > > > > > > > >How can I do that? if they are not in the auth-constraint and > in > > > the > > > > > > role > > > > > > > >name list they can't access. > > > > > > > >have O to write a filter class? in this class retrieve the > role > > > of the > > > > > > user > > > > > > > >and if is one of the second level skip the container > > > authentication? > > > > > > > >I'm in the right way or I misunderstand all? > > > > > > > > > > > > > > > > > > > > > > > Or you could try this: > > > > > > > http://tomcat.apache.org/tomcat-4.1-doc/realm-howto.html > > > > > > > > > > > > I had the impression he already had.. I don't get how posting > this > > > > > > helps, i must have misunderstood something.. Can you explain > please? > > > > > > > > > > > > Mark > > > > > > > > > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > > > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > > > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > > > > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > >
