And yes, for us it' not possible to give users to change only parts of jsp's
and deny execution of these parts based on some credential assessments
executed during some if checkAccess tags
kazukin6 wrote:
Martin, thanks for a guide! I took a look at the Jetspeed (and portlet
specifications too) and it seems pretty intresting. I'll definetely study
it. The only thing that scares me that spec-s
(http://www.jcp.org/aboutJava/communityprocess/review/jsr168/) wasnt
updated since 2003
And yes, you really got it. Our system indeed is a portal and CMS and
something else too. And it somehow resembles the functions the Portal API
has. At this moment we're developing CRM part based on it. We already have
a whole bunch of portal functionality (it doesnt have any XML config cause
it's highly dynamic and config is stored in DB) and very specific security
system, tuned to our specific features, and at this point I'm not sure
we'll be able to seamlessly integrate any second-party solution into this
architecture.
mgainty wrote:
that was a 30 second solution amongst 100 different solutionsBR
so maybe you want to categorise the jsps and then enable / disable
view/update/delete of the resourcesBR in those categories depending on
the authenticated credentials of the userBR
for this scenario you might want to look at portals and or
content-management systemsBR
i would start hereBR
http://portals.apache.org/jetspeed-1/fusion.htmlBR
MartinBR
__ BR
Disclaimer and confidentiality note
Everything in this e-mail and any attachments relates to the official
business of Sender. This transmission is of a confidential nature and
Sender does not endorse distribution to any party other than intended
recipient. Sender does not necessarily endorse content contained within
this transmission.
Date: Sat, 13 Sep 2008 17:32:29 -0700
From: [EMAIL PROTECTED]
To: users@tomcat.apache.org
Subject: Question is answered. See Bill Barker-2 answer
Hi, Martin
Thanks for the answer
I see, what you mean, but the problem is slightly different
The matter is that our users can change jsp files whatever they like via
administrative interface, so we want to restrict the use of scriplets in
these jsp's because of possible abuses
Bill Barker-2 provided the comprehensive answer to this problem
mgainty wrote:
use ths struts if tag to conditionally disable the code
%@ taglib prefix=s uri=/struts-tags%
s:if test=%{false}
divWill Not Be Executed/div
/s:if
http://struts.apache.org/2.0.11.2/docs/if.html
datorită struts
Martin
__
Disclaimer and confidentiality note
Everything in this e-mail and any attachments relates to the official
business of Sender. This transmission is of a confidential nature and
Sender does not endorse distribution to any party other than intended
recipient. Sender does not necessarily endorse content contained
within
this transmission.
Date: Sat, 13 Sep 2008 08:58:59 -0700
From: [EMAIL PROTECTED]
To: users@tomcat.apache.org
Subject: Re: Disable java code execution %blabla% in jsp, but
permits
tags
We want them to be able to customize information they get from our
system
by
using custom tags
H. Hall wrote:
kazukin6 wrote:
Plz Help !!
Is it possible to disable all java code execution within jsp page
(by
security manager or something)
but allow custom tags to be executed?
The problem is that the users can change jsp files, and due to
security
reasons we can allow them to use only tags
Why are users allowed to change jsp files?
HH
--
H. Hall
ReedyRiver Group LLC
http://www.reedyriver.com
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--
View this message in context:
http://www.nabble.com/Disable-java-code-execution-%3C-blabla-%3E-in-jsp%2C-but-permits-tags-tp19415053p19471795.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
_
Get more out of the Web. Learn 10 hidden secrets of Windows Live.
http://windowslive.com/connect/post/jamiethomson.spaces.live.com-Blog-cns!550F681DAD532637!5295.entry?ocid=TXT_TAGLM_WL_domore_092008
--
View this message in context:
http://www.nabble.com/Disable-java-code-execution-%3C-blabla-%3E-in-jsp%2C-but-permits-tags-tp19415053p19476209.html
Sent from
