Checking User log in in a JSP page
This question is regarding where to provide the check for user logged in, should it be done in the Jsp or the actionServlet. While I have proposed the Jsp since you may not want a user to see a page if they are not registered, others claim that it should be in the actionServlet. Their claim is that checking for user logged in is business logic (even though its done using a tag) and there should be no business logic in a Jsp page. Further allowing this you open the Jsp page to adding more business logic. My question is where do you draw the line on the business logic that can be provided in a Jsp page. What are the thoughts of designers out there. Thanks Irfan
Re: Checking User log in in a JSP page
I would argue that logging a user in is business logic. However, the user state (i.e. whether the user is logged in) is part of the model - a "permission denied" message is the appropriate view of the model when the user is not logged in; thus this belongs in the JSP. I check permissions at the top of all of my JSP's - I don't feel that this has caused business logic to leak into the pages. However, if clients can post directly to your actions the actions need to check permissions, too (since the post might not have come from a valid page). Irfan Mohammed wrote: This question is regarding where to provide the check for user logged in, should it be done in the Jsp or the actionServlet. While I have proposed the Jsp since you may not want a user to see a page if they are not registered, others claim that it should be in the actionServlet. Their claim is that checking for user logged in is business logic (even though its done using a tag) and there should be no business logic in a Jsp page. Further allowing this you open the Jsp page to adding more business logic. My question is where do you draw the line on the business logic that can be provided in a Jsp page. What are the thoughts of designers out there. Thanks Irfan
RE: Checking User log in in a JSP page
Hi... I would argue that logging a user in is business logic. However, the user state (i.e. whether the user is logged in) is part of the model - a "permission denied" message is the appropriate view of the model when the user is not logged in; thus this belongs in the JSP. Everything is right - though I would say that checking permissions make's most sense on the controller side (-business logic). I check permissions at the top of all of my JSP's - I don't feel that this has caused business logic to leak into the pages. However, if clients can post directly to your actions the actions need to check permissions, too (since the post might not have come from a valid page). In my application all important stuff (retrieving/storing data to be displayed in my JSP) is done by the controller, bypassing the servlet is possible but doesn't make much sense. Most likely the user will not see more than some ugly nullpointer exceptions because beans are missing or whatever. There's no "official" way to get to these pages directly... so - who cares?! :) Regards, Tobias
