I would argue that logging a user in is business logic. However, the user
state (i.e. whether the user is logged in) is part of the model - a "permission
denied" message is the appropriate view of the model when the user is not
logged in; thus this belongs in the JSP.
I check permissions at the top of all of my JSP's - I don't feel that this has
caused business logic to leak into the pages. However, if clients can post
directly to your actions the actions need to check permissions, too (since the
post might not have come from a valid page).
Irfan Mohammed wrote:
> This question is regarding where to provide the check for user logged in,
> should it be done in the Jsp or the actionServlet. While I have proposed
> the Jsp since you may not want a user to see a page if they are not
> registered, others claim that it should be in the actionServlet. Their
> claim is that checking for user logged in is business logic (even though its
> done using a tag) and there should be no business logic in a Jsp page.
> Further allowing this you open the Jsp page to adding more business logic.
> My question is where do you draw the line on the business logic that can be
> provided in a Jsp page. What are the thoughts of designers out there.
>
> Thanks
> Irfan
