Re: Checking User log in in a JSP page
On Thu, 19 Apr 2001, John Raley wrote: > I would argue that logging a user in is business logic. However, the user > state (i.e. whether the user is logged in) is part of the model - a "permission > denied" message is the appropriate view of the model when the user is not > logged in; thus this belongs in the JSP. > I would agree with this. > I check permissions at the top of all of my JSP's - I don't feel that this has > caused business logic to leak into the pages. However, if clients can post > directly to your actions the actions need to check permissions, too (since the > post might not have come from a valid page). > The Struts example app takes the philosophy that you should check both places, so it does -- in the actions, and at the top of the relevant pages (a custom tag is used for this purpose). Here's the reasoning: Ideally, you would only do this kind of check in the controller. However, what happens if a user navigates to a JSP page directly (through a bookmark or something) and bypasses the check your controller would make? This is a non-issue if you have the JSP pages hidden behind a security constraint, or stored in the WEB-INF directory so that users cannot access them directly, but you have to deal with it otherwise. In servlet containers based on the 2.3 specification (currently in Proposed Final Draft state), you will be able to create a Filter to do this kind of thing, even on direct requests to a JSP page. Craig McClanahan
RE: Checking User log in in a JSP page
Hi... > I would argue that logging a user in is business logic. > However, the user > state (i.e. whether the user is logged in) is part of the > model - a "permission > denied" message is the appropriate view of the model when the > user is not > logged in; thus this belongs in the JSP. Everything is right - though I would say that checking permissions make's most sense on the controller side (->business logic). > I check permissions at the top of all of my JSP's - I don't > feel that this has > caused business logic to leak into the pages. However, if > clients can post > directly to your actions the actions need to check > permissions, too (since the > post might not have come from a valid page). In my application all important stuff (retrieving/storing data to be displayed in my JSP) is done by the controller, bypassing the servlet is possible but doesn't make much sense. Most likely the user will not see more than some ugly nullpointer exceptions because beans are missing or whatever. There's no "official" way to get to these pages directly... so - who cares?! :) Regards, Tobias
Re: Checking User log in in a JSP page
I would argue that logging a user in is business logic. However, the user state (i.e. whether the user is logged in) is part of the model - a "permission denied" message is the appropriate view of the model when the user is not logged in; thus this belongs in the JSP. I check permissions at the top of all of my JSP's - I don't feel that this has caused business logic to leak into the pages. However, if clients can post directly to your actions the actions need to check permissions, too (since the post might not have come from a valid page). Irfan Mohammed wrote: > This question is regarding where to provide the check for user logged in, > should it be done in the Jsp or the actionServlet. While I have proposed > the Jsp since you may not want a user to see a page if they are not > registered, others claim that it should be in the actionServlet. Their > claim is that checking for user logged in is business logic (even though its > done using a tag) and there should be no business logic in a Jsp page. > Further allowing this you open the Jsp page to adding more business logic. > My question is where do you draw the line on the business logic that can be > provided in a Jsp page. What are the thoughts of designers out there. > > Thanks > Irfan
Checking User log in in a JSP page
This question is regarding where to provide the check for user logged in, should it be done in the Jsp or the actionServlet. While I have proposed the Jsp since you may not want a user to see a page if they are not registered, others claim that it should be in the actionServlet. Their claim is that checking for user logged in is business logic (even though its done using a tag) and there should be no business logic in a Jsp page. Further allowing this you open the Jsp page to adding more business logic. My question is where do you draw the line on the business logic that can be provided in a Jsp page. What are the thoughts of designers out there. Thanks Irfan
